Last updated July 2026
Security Policy
We take security reports seriously and appreciate researchers who disclose responsibly. This page is the vulnerability disclosure policy referenced by our security.txt (RFC 9116).
Reporting a Vulnerability
Please do not disclose security vulnerabilities publicly before contacting us.
Email kevinmarmstrong1990@gmail.com with:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept (text only — do not attach exploit binaries)
- Any relevant logs, screenshots, or code references
You can expect an acknowledgement within 48 hours and an initial status update within 7 days. Critical findings (remote code execution, auth bypass, SSRF that bypasses the existing guards, sensitive data exposure) are triaged ahead of routine work.
Scope
In scope:
- Authentication or authorization bypass on
api.website-auditor.ioflows surfaced through the dashboard - Server-Side Request Forgery (CWE-918) bypassing our outbound-request guards
- Cross-Site Scripting (XSS) on
website-auditor.iorendered content - Cross-Site Request Forgery (CSRF) on any state-changing endpoint
- Supply-chain issues in pinned third-party dependencies
Out of scope:
- Denial-of-service (resource-consumption testing) — please report rate-limiting gaps as findings, but do not exercise them at volume
- Self-XSS that requires a user to paste code into devtools
- Issues that require physical access to a device
- The
/api/ai-querysubscription gate is intentional; bypass attempts on the intentionally open endpoints (/run,/api/runs,/api/detect-business,/api/bug-report) are out of scope
Architecture Notes for Researchers
- Backend: Flask application on Google Cloud Run, behind Cloudflare, serving both the public site and the audit engine at
website-auditor.io. - Subscription gating:
/api/ai-queryvalidates a token minted by the separateapi.website-auditor.ioadmin portal. Most other audit endpoints are intentionally open. - SSRF defence: every outbound request and each redirect hop is re-validated against private/reserved address ranges.
- CSRF defence: form-encoded POSTs validate a per-session token; JSON POSTs require
X-Requested-With. - Secrets: deployed as Cloud Run environment variables and never sent to the browser.
Safe Harbor
Armstrong HoldCo LLC will not pursue legal action against researchers who:
- Make a good-faith effort to comply with this policy
- Avoid privacy violations, denial-of-service, and destructive testing
- Give a reasonable disclosure window before going public
Thank you for helping keep Website Auditor and its users safe.