← Back to ShakerScan

Security Policy

1. Overview

ShakerScan maintains a responsible disclosure path for reports about the hosted service. This policy outlines our security practices, vulnerability reporting procedures, and usage guidelines for our deploy-gate, evidence, and scanning workflows.

2. Reporting Security Vulnerabilities

We take security vulnerabilities seriously and appreciate responsible disclosure from security researchers.

How to Report

  • • Email: security@shakerscan.com
  • • PGP Key: Available upon request
  • • Include affected surface, reproduction steps, impact, and safe proof of concept
  • • We triage reports based on exploitability, affected tenants, data exposure, and service impact

3. Scope of Security Testing

In Scope

  • The Shaker web application (shakerscan.com)
  • Authentication and authorization systems
  • Data storage and processing mechanisms

Out of Scope

  • Third-party services and integrations
  • Social engineering attacks
  • Denial of Service (DoS) attacks

4. Responsible Disclosure Guidelines

When reporting vulnerabilities, please:

  • Provide detailed steps to reproduce the issue
  • Include proof-of-concept code if applicable
  • Avoid accessing or modifying other users' data
  • Do not perform destructive testing
  • Keep findings confidential until resolved
  • Allow reasonable time for patching before public disclosure

5. Controlling Policy

The Vulnerability Disclosure Policy controls if this page, the acknowledgments page, docs, marketing pages, emails, or examples conflict with vulnerability research authorization or reporting boundaries.

6. Scanning And Gate Usage Policy

Permission Requirements

Users may only scan domains and web applications that they own or for which they have explicit written authorization from the owner. Unauthorized scanning is strictly prohibited.

Prohibited Targets

  • Government domains (.gov, .mil, and international equivalents)
  • Educational institutions (.edu)
  • Healthcare systems and medical facilities
  • Financial institutions and payment processors
  • Critical infrastructure systems
  • Any system where scanning could cause harm or disruption

7. Data Protection

We use layered controls to protect scan data:

  • Encryption in transit using TLS 1.2+
  • Tenant-scoped access controls
  • Raw and redacted evidence separation where supported
  • Access controls and authentication mechanisms
  • No sharing of scan results without explicit consent

8. Security Features

Application Security

  • • Content Security Policy (CSP)
  • • HTTP Strict Transport Security (HSTS)
  • • X-Frame-Options: DENY
  • • X-Content-Type-Options: nosniff
  • • Rate limiting and DDoS protection

Gate Evidence Security

  • • Signed AI Gate attestations when configured
  • • Evidence hashes bound to release scope
  • • Raw/redacted artifact separation where supported

9. Compliance

ShakerScan maps findings and testing workflows to common security references:

  • OWASP Top 10 security guidelines
  • CWE/SANS Top 25 vulnerability categories
  • Industry-standard responsible disclosure practices
  • Customer privacy and data-processing commitments in the published legal pages

10. Contact Information

For security-related inquiries:

Last Updated: May 26, 2026

Material updates are reflected on this page and linked legal/trust surfaces.