Security

Vulnerability Disclosure Policy

ReverseLookup welcomes responsible disclosure of security vulnerabilities affecting our Services. If you believe you have identified a security issue, please reach out.

[email protected]

1. How to report

To help us investigate efficiently, please include, where available:

  • A description of the vulnerability
  • Affected URL(s), endpoint(s), or feature(s)
  • Reproduction steps
  • Proof-of-concept materials where appropriate
  • Your contact information

2. Our commitment

  • We will acknowledge receipt of valid security reports within a reasonable amount of time.
  • We will investigate reported issues in good faith.
  • We may request additional information to reproduce or validate the issue.
  • We will keep reporters informed regarding the status of the investigation where reasonably practicable.

3. Good-faith research

Provided you comply with this Policy, ReverseLookup considers good-faith security research to be authorized. Researchers should:

  • Access only the minimum information reasonably necessary to demonstrate the reported issue.
  • Immediately stop testing if personal information is encountered beyond what is reasonably necessary to validate the vulnerability.
  • Avoid modifying, deleting, retaining, copying, publishing, or disclosing personal information except as reasonably necessary to report the issue to ReverseLookup.
  • Avoid disrupting the availability or performance of the Services.

4. Out of scope

This Policy does not authorize:

  • Social engineering or phishing
  • Physical attacks
  • Denial-of-service attacks
  • Malware deployment
  • Credential stuffing or password attacks
  • Spam or excessive automated testing
  • Persistence after a vulnerability has been demonstrated
  • Accessing data beyond what is reasonably necessary to validate the issue
  • Any activity prohibited by applicable law

5. Rewards

Submission of a report does not create an entitlement to a bug bounty or other compensation. ReverseLookup may, at its sole discretion, recognize or reward responsible disclosures.

6. Public disclosure

We request that researchers refrain from publicly disclosing vulnerabilities until ReverseLookup has had a reasonable opportunity to investigate and remediate the reported issue.

7. Urgent incidents

Active incident? Flag it immediately.

If you believe personal information has been exposed or there is an active security incident requiring immediate attention, indicate URGENT SECURITY INCIDENT in the subject line of your report to [email protected].