Security & responsible disclosure

We run a security business, so we hold our own systems to the same standard we ask of everyone else. If you have found a vulnerability in one of our sites or products, we want to hear about it — and we will work with you, not against you.

Reporting a vulnerability

Email Info@Seglamater.com with the subject line Security. Please include:

  • The affected site, product, or URL.
  • A clear description of the issue and its impact.
  • The steps to reproduce it — enough that we can confirm it ourselves.

If you need to send sensitive details, say so in your first message and we will arrange an encrypted channel. Our machine-readable contact details follow RFC 9116 and live at /.well-known/security.txt.

What you can expect from us

  • We aim to acknowledge your report within three business days.
  • We will keep you updated as we investigate and confirm the issue.
  • We will fix confirmed issues as quickly as their severity warrants, and let you know when the fix ships.
  • If you would like credit, we are glad to acknowledge you once the issue is resolved. If you would rather stay anonymous, that is fine too.

Safe harbor

If you make a good-faith effort to follow this policy, we will treat your research as authorized. We will not pursue or support legal action against you for accidental, good-faith violations, and we will not ask your internet provider to identify you. If a third party brings a claim against you for activity that followed this policy, we will make it known that your actions were authorized.

Scope and ground rules

This policy covers the sites and products we operate, including seglamater.com, seglamater.app, and the services we host under those domains. To keep everyone safe, please:

  • Only test against your own accounts and data — never access, modify, or delete another person's data.
  • Stop as soon as you have confirmed a vulnerability, and report it rather than exploiting it further.
  • Give us a reasonable amount of time to fix an issue before disclosing it publicly.

The following are out of scope: denial-of-service or volumetric testing, social engineering of our team or customers, physical attacks, spam, and reports generated by automated scanners with no demonstrated impact.

We hold ourselves to the standard

Proof, not claims. We run our own websites through the Seglamater Privacy Standard — the same 24-check scanner we offer to everyone else — and publish the grades:

SPS privacy score for seglamater.com SPS privacy score for seglamater.app

Live service status is on our status page. Want to scan your own site? Start at seglamater.app/privacy.