← Back to Home

Responsible Disclosure Policy

Security Vulnerability Reporting Guidelines

Last Updated: December 2025

We take security seriously at NoAdCode. We appreciate the security research community's efforts in helping us maintain a secure platform. This policy outlines how to responsibly report security vulnerabilities.

1. Our Commitment

If you follow the guidelines in this Responsible Disclosure Policy when reporting a security vulnerability, we commit to:

  • Prompt Acknowledgment: We will acknowledge receipt of your report within 2 business days
  • Investigation: We will work to understand and validate the vulnerability
  • Resolution: We will aim to fix valid vulnerabilities in a timely manner based on severity
  • No Legal Action: We will not pursue legal action against you for security research conducted in good faith
  • Recognition: We will publicly acknowledge your contribution (with your permission) in our Security Hall of Fame
  • Communication: We will keep you informed about the progress of your report

2. Scope

2.1 In Scope

The following assets are within the scope of this program:

  • Web Application: noadcode.com and all subdomains
  • API: api.noadcode.com and related endpoints
  • WordPress Plugin: NoAdCode WordPress plugin (latest version)
  • Authentication: OAuth flows and session management
  • Data Storage: Security of user data and credentials

2.2 Vulnerability Types We're Interested In

  • Remote Code Execution (RCE)
  • SQL Injection
  • Authentication/Authorization bypasses
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • Insecure Direct Object References (IDOR)
  • Sensitive data exposure
  • OAuth/Token security issues
  • API security vulnerabilities
  • WordPress plugin security issues

3. Out of Scope

The following are explicitly out of scope:

3.1 Non-Qualifying Vulnerabilities

  • Denial of Service (DoS/DDoS) attacks
  • Social engineering or phishing attacks
  • Physical security attacks
  • Attacks on third-party services we use (Google, Razorpay, Vercel, etc.)
  • Vulnerabilities in outdated browsers or plugins
  • Self-XSS (where the user must paste code into their own console)
  • Missing security headers without demonstrated impact
  • Clickjacking without demonstrated security impact
  • Rate limiting issues without demonstrated impact
  • Theoretical vulnerabilities without proof-of-concept
  • User enumeration (unless it leads to a more serious vulnerability)
  • Password/credential policies (password complexity, etc.)

3.2 Excluded Activities

  • Spelling mistakes or UI/UX bugs
  • Content spoofing without security impact
  • Reports from automated scanners without manual verification
  • Best practice recommendations without actual vulnerability

4. Researcher Guidelines

When conducting security research, you MUST:

4.1 Allowed

  • Use your own test accounts for research
  • Create proof-of-concept to demonstrate vulnerabilities
  • Report findings promptly after discovery
  • Provide sufficient detail for us to reproduce the issue
  • Give us reasonable time to respond and fix issues before any disclosure

4.2 Not Allowed

  • Access, modify, or delete data belonging to other users
  • Perform actions that could harm our users or services
  • Execute denial of service attacks
  • Send unsolicited emails or messages as part of testing
  • Use automated scanning tools excessively
  • Test on production systems in ways that could cause disruption
  • Publicly disclose vulnerabilities before we have resolved them
  • Attempt to extort or demand payment for vulnerability information
  • Violate any applicable laws during research

5. How to Report

5.1 Reporting Channel

Email: security@noadcode.com
Subject Line: [Security Report] Brief description of vulnerability

5.2 Required Information

Please include the following in your report:

  • Description: Clear description of the vulnerability
  • Impact: Potential security impact if exploited
  • Steps to Reproduce: Detailed steps to reproduce the issue
  • Proof of Concept: Code, screenshots, or videos demonstrating the vulnerability
  • Affected Component: URL, API endpoint, or code location
  • Environment: Browser, OS, and any relevant configuration
  • Your Contact: Email for follow-up communication

5.3 Encryption (Optional)

For sensitive reports, you may encrypt your message. Contact security@noadcode.com for our PGP key.

6. Response Timeline

StageTimeline
Initial AcknowledgmentWithin 2 business days
Initial AssessmentWithin 5 business days
Status UpdateEvery 2 weeks during investigation
Resolution (Critical)Within 7 days
Resolution (High)Within 30 days
Resolution (Medium/Low)Within 90 days

7. Recognition

7.1 Hall of Fame

We maintain a Security Hall of Fame to recognize researchers who have responsibly disclosed valid vulnerabilities. With your permission, we will include:

  • Your name or handle
  • Link to your profile (Twitter, LinkedIn, website)
  • Month and year of disclosure

7.2 Rewards

Currently, we do not offer monetary rewards for vulnerability reports. However, we may provide:

  • Public recognition in our Hall of Fame
  • NoAdCode swag (t-shirts, stickers)
  • Reference letters for exceptional contributions

Note: Requests or demands for monetary compensation are not in compliance with this policy.

8. Legal Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized: We will not pursue civil action or criminal complaints for accidental, good-faith violations of this policy
  • Exempt from CFAA: We consider authorized research under this policy as "authorized" under the Computer Fraud and Abuse Act (or equivalent laws)
  • Exempt from DMCA: We waive any potential DMCA claims for circumventing security measures in the course of good-faith research

If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will take steps to make it known that your actions were authorized.

9. Confidentiality

Please keep all vulnerability information confidential:

  • Do not share vulnerability details with third parties
  • Do not publicly disclose until we have resolved the issue and given permission
  • We request a minimum of 90 days from initial report before any public disclosure

10. Contact

Security Reports: security@noadcode.com
General Security Questions: security@noadcode.com
Policy Questions: legal@noadcode.com

11. Policy Changes

We may update this policy from time to time. Changes will be posted on this page with an updated revision date. Your participation in our program after changes constitutes acceptance of the updated policy.

Thank You

We appreciate security researchers who help us keep NoAdCode safe. Your efforts protect our users and contribute to a more secure internet.