Security Policy

Security Policy

Responsible disclosure process, PGP contact, response SLAs, and safe harbor for researchers.

The machine-readable security.txt is the authoritative source for our PGP key fingerprint and contact details.

Scope

  • phishdestroy.io main site and all subdomains
  • Public CTI API endpoints under /api/
  • Cloudflare Workers (gotcha-panel, r2-cdn, phish-worker)
  • GitHub repositories under github.com/phishdestroy

Out of Scope

  • Third-party scanners we proxy (URLScan, VirusTotal, Shodan)
  • Phishing domains in our blocklist — those are the targets, not our infrastructure
  • Denial-of-service testing
  • Social engineering attacks against our team

Reporting a Vulnerability

Email: security@phishdestroy.io — encrypt with the PGP key in security.txt.

Please include:

  • A clear description of the vulnerability and its impact
  • Steps to reproduce (proof-of-concept that causes no harm)
  • Affected URL, endpoint, or repository path

Response SLA

  • Acknowledgment: within 48 hours
  • Initial triage & severity assessment: within 7 days
  • Fix or roadmap commitment: within 30 days for Critical/High; 90 days for Medium/Low
  • CVE coordination: available on request for critical vulnerabilities

Safe Harbor

We support good-faith security research. If you follow these rules, we will not pursue legal action:

  • Do not access, modify, or exfiltrate user data
  • Do not degrade or disrupt service availability
  • Do not use our infrastructure to attack others
  • Test on staging.phishdestroy.io when available
  • Coordinate disclosure before publishing findings

Recognition

Researchers who responsibly report valid vulnerabilities will be acknowledged in our security changelog (with consent). We do not currently offer a paid bug bounty, but we provide public credit and our sincere appreciation.