Responsible Disclosure

For security researchers who know how to behave (unlike scammers)

🛡️ For Security Researchers

We welcome responsible security research. It's refreshing to deal with ethical hackers after spending all day fighting the other kind.

Our Commitment

PhishDestroy is committed to working with security researchers to protect our users and systems. We believe in coordinated disclosure and appreciate the security community's efforts to keep the internet safe.

Unlike scammers who exploit vulnerabilities for profit, we actually appreciate people who report them responsibly.

Reporting Guidelines

If you believe you have found a security vulnerability in our systems, please follow these guidelines:

  • Email us first: Send details to security@phishdestroy.io
  • Include details: Provide clear steps to reproduce the issue
  • Be patient: Allow us reasonable time to investigate and fix the issue
  • Don't exploit: Do not access, modify, or delete data that doesn't belong to you
  • Keep it confidential: Don't disclose the issue publicly until we've addressed it

Safe Harbor

We will not pursue legal action against security researchers who:

  • Act in good faith
  • Report vulnerabilities through proper channels
  • Do not access or modify user data
  • Do not disrupt our services
  • Follow responsible disclosure practices

Basically, don't be a scammer and we won't treat you like one.

In Scope

We are interested in vulnerabilities in:

  • PhishDestroy websites and web applications
  • API endpoints and services
  • Data processing systems
  • Authentication and authorization mechanisms
  • Infrastructure components we control

Out of Scope

Please do not report:

  • Issues in third-party services we don't control
  • Social engineering attacks
  • Physical security issues
  • Denial of service attacks
  • Spam or content issues
  • Issues requiring physical access to our systems

Response Timeline

We aim to:

  • Acknowledge receipt: Within 48 hours
  • Provide initial assessment: Within 1 week
  • Provide resolution timeline: Within 2 weeks
  • Keep you updated: Throughout the process

We respond faster than scammers respond to takedown notices (which is never).

Recognition

We believe in giving credit where it's due. With your permission, we will:

  • Acknowledge your contribution publicly
  • Include you in our security researcher hall of fame
  • Provide a reference letter if requested

What We Won't Do

We will not:

  • Pursue legal action for good faith security research
  • Contact your employer about your research
  • Ignore valid reports
  • Take longer than necessary to fix issues

Examples of Valuable Reports

We particularly value reports about:

  • Authentication bypasses
  • Data exposure vulnerabilities
  • Injection vulnerabilities (SQL, XSS, etc.)
  • Privilege escalation issues
  • Remote code execution

Contact Information

For security vulnerabilities: security@phishdestroy.io

For general inquiries: contact@phishdestroy.io

We actually read our emails, unlike the support addresses of scam sites.