Report security issues
How researchers and customers report suspected vulnerabilities in ShakerScan itself.
Report suspected vulnerabilities to security@shakerscan.com with a clear description, affected surface, reproduction steps, impact, and any safe proof of concept.
Do not access, modify, destroy, or exfiltrate customer data. Avoid privacy-impacting testing and stop immediately if unexpected data is exposed.
Testing must target ShakerScan-owned surfaces and accounts created for research. Third-party customer targets, worker infrastructure, and destructive tests are not authorized by this policy.
This policy does not create a paid bug bounty or unlimited safe harbor. ShakerScan may recognize helpful reports at its discretion. If ShakerScan later offers limited safe harbor, it must be expressly stated in this policy and conditioned on good-faith research, no privacy harm, no disruption, and prompt reporting.
This disclosure policy does not authorize researchers to scan, probe, access, or test customer-configured targets, customer evidence, customer transcripts, private workers, customer credentials, or third-party systems connected to a customer workspace.
If research reveals customer data or credentials, stop immediately, do not retain or share the data, and report the exposure through the security contact.
ShakerScan will triage reports based on reproducibility, impact, exploitability, affected tenants, evidence integrity, credential exposure, and availability impact.
Public acknowledgement is discretionary and requires the researcher consent. ShakerScan does not currently operate a paid vulnerability reward program.
If the Security Policy, Security Acknowledgments page, marketing pages, docs, or emails conflict with this Vulnerability Disclosure Policy, this policy controls for vulnerability research authorization and reporting boundaries.
Tool names, scanner examples, and acknowledgment categories do not authorize high-volume scanning, destructive testing, exploitation, denial-of-service testing, customer-data access, worker-infrastructure testing, or testing outside this policy scope.
For legal, privacy, security, or authorization questions, contact security@shakerscan.com.