Security

Responsible Disclosure

Last updated: April 19, 2026 · Effective immediately

1. Scope

All endpoints under depscope.dev and its subdomains, including the API, the dashboard, the MCP server, and our published npm package depscope-mcp. Out of scope: third-party services (Stripe, Cloudflare, npm registry, etc.) and DoS/load tests.

2. How to report

Email [email protected].
Provide a clear description, proof-of-concept, affected URL, and your preferred credit (name, handle, or anonymous).
Use PGP if you prefer — key published at /.well-known/security.txt.

3. Our commitments

Acknowledge your report within 3 business days.
Keep you informed of triage progress and expected fix timeline.
Credit you publicly (with consent) once the fix is deployed.
Not pursue legal action for good-faith research conducted within the bounds below.

4. Rules of engagement

Do not access or modify data that is not your own.
Do not run automated scans, DoS, or social-engineering attacks.
Minimize the footprint of your proof-of-concept.
Do not disclose details publicly before a fix is released.
Comply with all applicable laws.

5. Reward

We do not run a paid bug bounty at this time. We offer public credit, swag where available, and preferential access to upcoming paid tiers for impactful reports.

← Back to Legal hub