Security Policy
Last updated: June 24, 2026
A11y Audit takes the security of our service and our users’ data seriously. We welcome responsible disclosure of security vulnerabilities.
Reporting a Vulnerability
If you believe you have found a security vulnerability in A11y Audit, please report it to us at security@a11yaudit.app.
Please include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce or a proof of concept.
- Any relevant URLs, request/response samples, or screenshots.
We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it.
Scope
In scope:
- https://a11yaudit.app and any authenticated application hosted on this domain.
- Authentication and authorization flaws.
- Data exposure or insecure handling of user or scan data.
- Injection vulnerabilities (XSS, CSRF, SQL injection, etc.).
Out of scope:
- Denial of service attacks.
- Social engineering or phishing of A11y Audit staff or users.
- Vulnerabilities in third-party services or infrastructure we do not control.
- Issues that require physical access to a user’s device.
- Automated scanning without prior coordination.
What to Expect
After you report a vulnerability:
- Acknowledgment — we will acknowledge receipt within 3 business days.
- Assessment — we will investigate and keep you informed of our progress.
- Resolution — we will work to resolve confirmed vulnerabilities promptly and notify you when the fix is deployed.
Safe Harbor
A11y Audit will not pursue legal action against researchers who discover and report security vulnerabilities in good faith, provided you:
- Act in accordance with this policy.
- Avoid accessing, modifying, or deleting data that does not belong to you.
- Do not disrupt the service or degrade the user experience.
- Report the vulnerability to us before any public disclosure.
We consider good-faith security research a valuable contribution and will make every effort to acknowledge your help.