← Back to Trust Center

Vulnerability Disclosure

Responsible disclosure program powered by HackerOne

🎯 Bug Bounty Program Active

We partner with HackerOne to reward security researchers for responsibly disclosing vulnerabilities.

Submit Report on HackerOne

Bounty Rewards

SeverityRewardExamples
Critical$5,000 - $10,000Remote code execution, data breach, complete system compromise
High$2,500 - $5,000SQL injection, authentication bypass, privilege escalation
Medium$500 - $2,500XSS, CSRF, information disclosure, IDOR
Low$100 - $500Minor information leaks, weak security headers
InformationalThank youFindings that do not pose a security risk

In Scope

The following assets are in scope for our bug bounty program:

  • api.blazecrawl.dev
  • dashboard.blazecrawl.dev
  • *.blazecrawl.dev
  • Mobile applications
  • Public APIs

Out of Scope

The following are not eligible for rewards:

  • Social engineering attacks
  • Physical security attacks
  • Denial of service attacks
  • Attacks on third-party services
  • Issues in third-party dependencies
  • Brute force attacks on authentication
  • Reports from automated tools without proof of exploitability
  • Missing security headers (without demonstrated risk)
  • Cookie flags on non-sensitive cookies
  • Content spoofing / text injection

Disclosure Policy

90-Day Disclosure Default

We ask that you give us 90 days to fix vulnerabilities before public disclosure. We prefer coordinated disclosure to protect our users.

Safe Harbor

Researchers acting in good faith are protected from legal action for discovering and reporting vulnerabilities.

Triage SLA

• Initial response: 24 hours
• Triage decision: 5 business days
• Fix timeline: Based on severity (Critical: 7 days, High: 30 days, Medium: 90 days)

Contact

For sensitive security issues that shouldn't be posted publicly:

security.txt

# BlazeCrawl Security Policy
# https://blazecrawl.dev/.well-known/security.txt

Contact: mailto:security@blazecrawl.dev
Expires: 2027-04-28T00:00:00.000Z
Encryption: https://blazecrawl.dev/pgp-key.txt
Preferred-Languages: en
Canonical: https://blazecrawl.dev/.well-known/security.txt
Policy: https://blazecrawl.dev/vulnerability-disclosure
HackerOne: https://hackerone.com/blazecrawl