Vulnerability disclosure policy
We welcome reports from security researchers. If you have found a vulnerability in DMARCER, this page tells you how to report it, what is in scope, and what you can expect from us in return.
Last updated: 6 July 2026
How to report
Email security@dmarcer.net with enough detail for us to reproduce the issue: the affected URL or endpoint, a clear description, reproduction steps, and any proof-of-concept or screenshots. If the report is sensitive, ask us for a way to share it securely and we will arrange one.
Our commitment to you
- We will acknowledge your report within 3 working days.
- We will give you an assessment and expected timeline within 10 working days.
- We will keep you updated as we work on a fix, and let you know when it is resolved.
- We are happy to credit you publicly once the issue is fixed, if you would like that.
Safe harbour
If you make a good-faith effort to follow this policy, we will treat your research as authorised, we will not pursue or support legal action against you for it, and we will work with you to understand and resolve the issue quickly. This safe harbour does not apply if you break the law, harm our customers or their data, or act outside the scope below.
In scope
- The DMARCER application at app.dmarcer.net and its API.
- Our public website at dmarcer.net and the support site.
- The regional MTA-STS and reporting hosts we operate.
Out of scope
- Denial-of-service, volumetric, or brute-force testing.
- Social engineering, phishing, or physical attacks against our staff or offices.
- Reports from automated scanners with no demonstrated, exploitable impact.
- Missing best-practice headers or configuration with no practical security impact.
- Third-party services we do not control (for example Stripe, Xero, Cloudflare, Microsoft).
Please do not
- Access, modify, or delete data that is not your own, or exfiltrate any data.
- Degrade or interrupt our service for other users.
- Publicly disclose the issue before we have had a reasonable chance to fix it.
Machine-readable contact details are published at /.well-known/security.txt. See also our Security and trust page.