Security Policy

CoreReach GEO Scanner

← Back to App

Responsible Disclosure Policy

CoreReach GEO Scanner takes the security of our platform seriously. We welcome security researchers and members of the community to responsibly disclose vulnerabilities they discover. This policy outlines the scope of our program, how to report issues, and what you can expect from us.

Last updated: March 2026 · Expires: January 1, 2027

How to Report

Send vulnerability reports to our security contact. Please include a clear description of the issue, steps to reproduce, potential impact, and any proof-of-concept code or screenshots.

[email protected]

Response Timeline

Within 48 hoursInitial acknowledgment of your report
Within 7 daysAssessment of severity and impact
Within 30 daysResolution of critical and high-severity issues
Within 90 daysResolution of medium and low-severity issues
After fixCoordinated disclosure — we will notify you when the fix is deployed

In Scope

Authentication and session management vulnerabilities
Authorization bypass or privilege escalation
SQL injection or other database-level attacks
Cross-site scripting (XSS) or cross-site request forgery (CSRF)
Server-side request forgery (SSRF)
Sensitive data exposure (API keys, user PII, email content)
Webhook endpoint abuse or signature bypass
Rate limiting bypass on login or API endpoints
Remote code execution or command injection

Scope applies to geoleadscan.com and all subdomains.

Out of Scope

Denial of service (DoS/DDoS) attacks
Physical security attacks
Social engineering or phishing attacks against our team
Vulnerabilities in third-party services (SendGrid, Stripe, Google Maps)
Issues requiring physical access to a user's device
Automated scanner results without proof of exploitability
Missing security headers on non-sensitive static assets
Self-XSS that requires the victim to execute code themselves

Safe Harbor

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, provided they: do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability; do not perform attacks that degrade service availability; do not violate the privacy of our users; and report the vulnerability to us before public disclosure.

Standards & References

RFC 9116 — security.txt standard/.well-known/security.txt