Security

Security & responsible disclosure

We are a security company, and we hold our own platform to the standard we scan for. If you believe you have found a vulnerability in OnScanner, we want to hear from you.

Reporting a vulnerability

Email support@onscanner.com with a clear description, the affected URL or endpoint, and steps to reproduce. We acknowledge reports as quickly as we can and will keep you updated on remediation. Please give us reasonable time to fix an issue before public disclosure, and do not access or modify data that is not yours. Our machine-readable contact is published at /.well-known/security.txt (RFC 9116).

What to expect after you report

We read every report. A first response usually goes out within two business days, and it tells you whether we can reproduce the issue and how severe we judge it. Valid reports get a remediation plan and progress updates until the fix ships. Once the issue is resolved we are happy to credit you by name or handle if you want the recognition, or keep the report private if you prefer. Duplicate reports are answered with a pointer to the original finding's status.

Safe harbor

If you make a good-faith effort to follow this policy, we will not pursue legal action over your research. Good faith means testing only in-scope systems, using your own accounts and data, stopping as soon as you can demonstrate the issue, and giving us reasonable time to fix it before any public disclosure. Accessing other users' data, degrading the service, or extorting a payment are not good-faith research.

Scope

In scope: onscanner.com, app.onscanner.com, api.onscanner.com, and mcp.onscanner.com. Out of scope: volumetric denial-of-service, social engineering, and findings that require a compromised device or already-privileged account.

Our posture

  • All traffic is served over HTTPS with HSTS; HTTP is redirected to HTTPS.
  • A strict Content-Security-Policy and modern response headers are applied at the edge.
  • Data is encrypted in transit and at rest, and is only accessible to authorized users on the owning account. We do not sell your data; scan results leave our systems only when you opt in to AI Findings, which sends them to a third-party AI provider under no-training terms.
  • Scans only run against targets the account owner has added and is authorized to test.
  • The scan itself never calls an LLM; AI analysis is optional and opt-in per scan.
  • Active exploitation probes are non-destructive and verify in-band. See our methodology.

Authorized use

OnScanner is a web vulnerability scanner. You may only scan domains and applications you own or have explicit written permission to test. Misuse against third-party targets violates our Terms of Service.