PrivacyScrubber is built on the philosophy of Zero-Trust. We believe in transparency and working with the global security community to maintain the integrity of our client-side engine.

1. Safe Harbor

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will not initiate or support legal action against you related to your research.

2. Reporting a Vulnerability

If you believe you have found a security vulnerability in PrivacyScrubber, please submit a report to security@privacyscrubber.com.

Please include:

• A detailed description of the vulnerability.
• Steps to reproduce the issue (including any PoC scripts or screenshots).
• The browser version and OS you used.

3. Scope

In Scope:

• Client-side data exfiltration vectors (e.g., bypassing our zero-network policy).
• XSS vulnerabilities that could extract the in-memory SessionMap.
• Cryptographic flaws in our TEAMS Argon2id / XChaCha20-Poly1305 handoff implementation.
• Regex Denial of Service (ReDoS) that crashes the browser sandbox.

Out of Scope:

• Missing HTTP security headers (unless they directly lead to an exploit).
• Reports indicating that our NER engine missed a piece of PII (this is an accuracy issue, not a security vulnerability).
• Issues related to third-party payment providers.
• Denial of Service (DoS) attacks against our static Vercel hosting.