FerrLens

FerrLens · Legal

Security & vulnerability disclosure

Last updated · 2026-05-17

If you found a security issue in FerrLens — anything from XSS to RCE, from SSRF in the SEO checker to leakage of share snapshots — please tell us. We'll thank you, fix it fast, and credit you publicly if you want.

How to report

Email security@ferrlabs.com. Optionally encrypt with our PGP key — fingerprint 2D 7F 5B 19 4C 38 91 C2 03 6E B8 1A 4D F0 9E 22, fetched from keys.openpgp.org.

Please include:

  • The vulnerability class (XSS / SSRF / IDOR / cache poisoning / etc.) and the affected URL.
  • Steps to reproduce. A working PoC saves us hours.
  • Whether you've disclosed this anywhere else.
  • How you'd like to be credited (real name, handle, or anonymously).

What we promise

  • Acknowledgement within 24 hours. An actual human reads your email and replies.
  • Triage within 5 business days. We confirm whether it's a valid issue, the severity, and a target fix date.
  • No legal action against good-faith research. If you stay within scope below and don't degrade service for other users, you're safe.
  • Credit if you want it. We'll add you to a security hall of fame on this page, name and link of your choosing.

In scope

  • ferrlens.com and any subdomain.
  • api.ferrlens.com and any documented endpoint.
  • The Rust source code at github.com/FerrLabs/FerrLens-Cloud.
  • Container images at ghcr.io/ferrlabs/ferrlens-cloud/*.

Out of scope

  • Vulnerabilities in third-party services (Google PageSpeed Insights, Let's Encrypt, Stripe) — report directly to them.
  • Rate-limit bypass via legitimate paid plans (Pro / Team) — that's the point of those plans.
  • Social engineering of FerrLabs staff or users.
  • Physical attacks against our servers.
  • Denial of service / volumetric attacks — please don't.
  • Reports purely about missing security headers when no concrete exploit is shown.

Bounty

We don't pay cash bounties yet — too early. We send a small thank-you (FerrLens stickers, a handwritten note, and a year of Pro on us). When revenue lets us run a proper bounty, this page will say so and back-pay reporters who waited.

Hall of fame

Empty for now. Be the first to land here.