Report a Security Issue

If you believe you found a security vulnerability in ScreenshotOne, please report it to us responsibly.

Important: please do not publicly disclose the issue before it has been reviewed and fixed, unless we confirm that public disclosure is OK.

Scope

In scope:

  • screenshot rendering and URL fetching;
  • dashboard and API endpoints;
  • authentication and authorization.

Out of scope (unless clearly impactful):

  • issues that require unrealistic user interaction;
  • missing security headers without demonstrated impact
  • rate limiting or brute force without real risk;
  • denial of service via excessive requests;
  • vulnerabilities in third-party services or libraries without a working exploit in our system.

Expected behavior

ScreenshotOne renders untrusted web pages using a browser environment.

The following are considered expected behavior and not vulnerabilities:

  • execution of JavaScript within the rendered page;
  • access to data that is intentionally exposed by the target website;
  • client-side code execution that does not escape the browser sandbox.

Before testing

You are not required to contact us before testing, but we appreciate coordination for complex or high-impact testing.

Please avoid:

  • destructive testing;
  • service disruption;
  • privacy violations;
  • accessing data that does not belong to you.

If you discover sensitive data or unintended account access, stop testing and email support@screenshotone.com immediately.

Testing guidelines

Please do not:

  • attempt to access internal infrastructure (e.g. metadata services, internal IPs)
  • attempt to exfiltrate data from the system;
  • perform large-scale automated testing or scanning.

If deeper testing is needed, contact us and we can provide a safe test environment.

Direct reporting

You can report security issues directly to support@screenshotone.com.

We accept responsible disclosures. This address can be used for ScreenshotOne security reports and follow-up questions.

What to include in a security report

Please include enough detail for us to reproduce and validate the issue efficiently. Helpful details include:

  • reproduction steps;
  • affected URLs, accounts, or features;
  • expected behavior and actual behavior;
  • potential impact;
  • screenshots, logs, requests, or a proof of concept, if available.

Clear, concise reports are easier to triage and fix quickly.

Bounty

We may offer a bounty for valid, impactful reports at our discretion. No bounty is guaranteed.

Typical factors:

  • severity and impact;
  • clarity and reproducibility;
  • exploitability in a real-world scenario.

Reports that clearly demonstrate impact (e.g. data access, sandbox escape, or privilege escalation) are more likely to receive a higher reward.

Safe harbor

If you act in good faith, follow this policy, and avoid accessing or modifying data that does not belong to you, we will not pursue legal action.

This includes:

  • avoiding privacy violations;
  • avoiding service disruption;
  • reporting issues promptly.

Response

We aim to:

  • acknowledge reports within a few days;
  • keep you updated on progress;
  • resolve issues as quickly as possible.

Please note that response times may vary.