Responsible Disclosure Policy
Last updated:
MageArgus is a security product operated by W3ctrl Services. We take the security of our own platform seriously and welcome reports from security researchers. This page explains how to report a vulnerability and what you can expect from us.
How to report
Email [email protected] with the subject line “Security — MageArgus”. Please include enough detail for us to reproduce the issue: affected URL or endpoint, a description of the vulnerability, steps to reproduce, and any proof-of-concept. Our machine-readable contact details are published at /.well-known/security.txt.
Our commitment
- We will acknowledge your report within 3 business days.
- We will provide an assessment and expected remediation timeline within 10 business days.
- We will keep you informed as we work on a fix, and let you know when it ships.
- With your permission, we will credit you in our acknowledgments below.
Safe harbour
We will not pursue or support legal action against researchers who, in good faith, discover and report vulnerabilities in accordance with this policy. To stay within scope, please:
- Only test against mageargus.com and assets we operate — never against stores scanned by our users.
- Avoid privacy violations, data destruction, and any degradation of our service (no automated/volumetric attacks, no denial of service).
- Do not access, modify or exfiltrate data that is not your own. If you encounter user data, stop and report it immediately.
- Give us a reasonable opportunity to remediate before any public disclosure.
Out of scope
Reports limited to: missing best-practice headers without a demonstrable exploit, rate-limiting on non-sensitive endpoints, social-engineering, and findings from automated scanners without a working proof-of-concept.
Acknowledgments
We thank the researchers who have responsibly disclosed issues to us. This hall of fame will be published here as reports are validated.