Security & Responsible Disclosure

We build a security product, so we hold our own surface to the same bar. If you have found a vulnerability in PkgRadar, we want to hear from you — and we commit to handling your report quickly, transparently, and without legal risk to good-faith researchers.

Reporting a vulnerability

Email [email protected] with enough detail for us to reproduce the issue: the affected endpoint or URL, the steps to trigger it, the impact you observed, and any proof-of-concept. If the report is sensitive, say so and we will coordinate an encrypted channel.

Please do not open a public issue, post the finding publicly, or share it with third parties before we have had a reasonable chance to remediate.

What to expect

Acknowledgement within 3 business days that we have received your report.
An assessment of severity and a remediation plan, with status updates as we work the fix.
Coordinated disclosure. We ask that you give us a reasonable window — we target 90 days — before publishing details, and we are happy to coordinate a joint disclosure timeline.

We are a small team and do not currently run a paid bug-bounty program, but we are glad to publicly credit researchers who report valid issues and want recognition.

Safe harbor

We will not pursue or support legal action against you for security research conducted in good faith that adheres to this policy. To stay in scope of that commitment, please:

act in good faith and avoid privacy violations, data destruction, or service degradation;
only interact with accounts you own or have explicit permission to test;
stop and report immediately if you encounter customer data, and do not access, store, or share it;
give us a reasonable time to remediate before any disclosure.

In scope

The PkgRadar web application (pkgradar.com) and dashboard.
The public API and the gate/scan API.
The PkgRadar CLI and the @pkgradar/mcp server.

Out of scope

Volumetric denial-of-service and rate-limit exhaustion.
Social engineering, phishing, or physical attacks against PkgRadar or its staff.
Findings in third-party services we depend on (Stripe, Cloudflare, Resend, DigitalOcean) — please report those to the respective vendor.
Missing security headers or best-practice hygiene with no demonstrated, concrete impact, and unvalidated output from automated scanners.

Not a vulnerability: detection feedback

A false positive (a clean package we flagged) or a missed detection is a quality issue, not a security vulnerability. We take those seriously too — send detection feedback to [email protected] and we will review it against our evaluation set.

For our broader security posture, data handling, and compliance mapping, see the Trust & compliance page.