Report a Security Issue

Responsible disclosure only. No guaranteed monetary rewards.

We operate a responsible disclosure program. We do not run a public bug bounty program.

If you believe you found a security vulnerability in ScreenshotOne, please report it to us responsibly.

Important: please do not publicly disclose the issue before it has been reviewed and fixed, unless we confirm that public disclosure is allowed.

Scope

In scope:

  • screenshot rendering and URL fetching;
  • dashboard and API endpoints;
  • authentication and authorization.

Out of scope (unless clearly impactful):

  • issues that require unrealistic user interaction;
  • missing security headers without demonstrated impact;
  • rate limiting or brute force without real risk;
  • denial of service via excessive requests;
  • vulnerabilities in third-party services or libraries without a working exploit in our system.

Expected behavior

ScreenshotOne renders untrusted web pages using a browser environment.

The following are considered expected behavior and not vulnerabilities:

  • execution of JavaScript within the rendered page;
  • access to data that is intentionally exposed by the target website;
  • client-side code execution that does not escape the browser sandbox.

Before testing

You are not required to contact us before testing, but we appreciate coordination for complex or high-impact testing.

Please avoid:

  • destructive testing;
  • service disruption;
  • privacy violations;
  • accessing data that does not belong to you.

If you discover sensitive data or unintended account access, stop testing and email support@screenshotone.com immediately.

Testing guidelines

Please do not:

  • attempt to access internal infrastructure (e.g. metadata services, internal IPs);
  • attempt to exfiltrate data from the system;
  • perform large-scale automated testing or scanning.

If deeper testing is needed, contact us and we can provide a safe test environment.

Direct reporting

You can report security issues directly to support@screenshotone.com.

We accept responsible disclosures. This address can be used for ScreenshotOne security reports and follow-up questions.

What to include in a security report

Please include enough detail for us to reproduce and validate the issue efficiently. Helpful details include:

  • reproduction steps;
  • affected URLs, accounts, or features;
  • expected behavior and actual behavior;
  • potential impact;
  • screenshots, logs, requests, or a proof of concept, if available.

Clear, concise reports are easier to triage and fix quickly.

Bounty

We operate a responsible disclosure program, not a bug bounty program.

In rare cases, we may choose to offer a monetary reward at our discretion. Most reports are handled without any monetary reward.

Please do not submit reports with an expectation of payment.

When rewards are granted, we may consider:

  • severity and real-world impact;
  • clarity and reproducibility;
  • demonstrated exploitability.

Rewards are not guaranteed, including for reports demonstrating significant or critical impact (e.g. data access, sandbox escape, or privilege escalation).

Response

We aim to:

  • acknowledge reports within a few days;
  • keep you updated on progress;
  • resolve issues as quickly as possible.

Please note that response times may vary, especially during weekends or periods of limited support capacity.

We expect respectful and constructive communication. Abusive or threatening behavior may result in reports being disregarded.