Sweepbase welcomes security researchers. If you have found a vulnerability in sweepbase.net or any of our public endpoints, please report it through the channels below. We will acknowledge your report within 48 hours, triage within 5 business days, and credit you publicly (with your permission) once a fix is deployed.
Significant information disclosure (secrets, PII, non-public data)
4. Out of scope
Third-party card issuers and their websites (report directly to the issuer)
Affiliate-network redirects (Impact.com) that do not originate from sweepbase.net
Social engineering, phishing of Sweepbase staff, or attacks requiring physical access
Denial-of-service, volumetric attacks, or brute-force of authentication endpoints
Missing security headers on cosmetic assets without exploit impact
Clickjacking on pages with no state-changing actions
Automated scanner output without a verified exploit path
Self-XSS requiring the victim to paste their own payload
Email spoofing unrelated to DMARC misconfiguration we can act on
5. Safe harbour
Research conducted in good faith and in accordance with this policy is authorised. We will not pursue legal action or law-enforcement referral for good-faith research that:
Stays within the scope above
Avoids accessing, modifying, or destroying data belonging to other users
Does not exfiltrate more data than needed to demonstrate the issue
Reports the issue privately before public disclosure
Gives us a reasonable time to fix before publication (generally 90 days)
If a third party initiates legal action against a researcher who complied with this policy, we will take steps to make it known that the activity was authorised.
6. Response-time commitments
Acknowledgement: within 48 hours of receipt
Triage & severity assessment: within 5 business days
Resolution target: 7 days for critical, 30 days for high, 90 days for medium/low
Public disclosure: coordinated with the reporter; default 90 days after fix or after reporter agreement
Personal data breach notification (GDPR Article 33). If an incident qualifies as a personal data breach affecting newsletter subscribers or visitors, the relevant supervisory authority is notified within 72 hours of our becoming aware of the breach. Affected users are notified without undue delay when the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34). If you suspect a personal data breach involving Sweepbase, please report it to security@sweepbase.net so we can treat it under this same 72-hour timeline.
7. Compensation
Sweepbase does not currently run a paid bug-bounty program. Valid reports receive:
Public credit on this page (“Acknowledgements” section below) with your preferred name and optional link
A written thank-you we can include in references for other programs
If the issue is significant, a direct thank-you gift (swag or voucher, at our discretion)
We may introduce a monetary bounty in the future; watch this page or follow @sweepbaseHQ.
8. Acknowledgements
We credit researchers who report valid issues here, with their permission.
No public disclosures yet. Be the first — we will add you here.
