Security Policy
Last updated: May 1, 2026
Our commitment
Scorra is a security product. We hold ourselves to the same standard we help our users achieve. We take vulnerability reports seriously, respond promptly, and fix confirmed issues as a priority.
We do not take legal action against researchers who report vulnerabilities in good faith and follow this policy.
Report a vulnerability
If you believe you have found a security vulnerability in Scorra, report it privately to:
security@scorra.io
Please do not open a public issue or disclose details publicly before we have had a chance to investigate and remediate.
What to include in your report
- A description of the vulnerability and potential impact
- The affected URL, endpoint, or component
- Steps to reproduce (screenshots or PoC if possible)
- Any tools or techniques used
- Your contact details if you want follow-up
In scope
- scorra.io and subdomains
- Scanner API endpoints
- Web application (dashboard, reports, auth flows)
- Authentication and session management
- Data access and privilege escalation vulnerabilities
- Payment flow vulnerabilities
Out of scope
- Denial-of-service attacks
- Social engineering of Scorra staff
- Physical security issues
- Vulnerabilities in third-party services (report directly to vendors)
- Issues requiring physical device access
- Scanner findings on third-party targets (normal product behavior)
How we protect your data
- Magic-link authentication, no stored passwords
- Data isolation and row-level security
- HTTPS/TLS in transit with HSTS
- No logging of raw credentials or tokens
- SSRF protection and private network target blocking
- Pre-commit security checks in engineering workflows
Our response process
- Within 48 hours: acknowledge receipt
- Within 5 business days: initial validation and severity assessment
- On agreed timeline: remediation and notification
- Optional: public credit in researcher acknowledgements
Contact
Security contact: security@scorra.io