Security Program

    Responsible Disclosure

    We value the security research community and welcome responsible disclosure of security vulnerabilities in our platform.

    Our Commitment

    Security is fundamental to our mission. We commit to:

    • Responding to vulnerability reports within 72 hours
    • Working with researchers to understand and validate findings
    • Addressing confirmed vulnerabilities promptly
    • Not pursuing legal action against good-faith researchers
    • Crediting researchers who help improve our security (with consent)

    In Scope

    We are interested in vulnerabilities affecting:

    • Authentication and authorization flaws
    • SQL injection, XSS, CSRF, and similar web vulnerabilities
    • Information disclosure vulnerabilities
    • Privilege escalation
    • Remote code execution
    • Broken access controls
    • Security misconfigurations

    Out of Scope

    The following are not eligible for this program:

    • Social engineering attacks against our staff
    • Physical security attacks
    • Denial of service (DoS/DDoS) attacks
    • Spam or rate limiting issues without security impact
    • Missing security headers without exploitable impact
    • Self-XSS without impact on other users
    • Vulnerabilities in third-party services we use
    • Clickjacking without meaningful security impact

    Disclosure Guidelines

    When reporting a vulnerability, please:

    • Provide detailed steps to reproduce the vulnerability
    • Include any proof-of-concept code or screenshots
    • Describe the potential impact of the vulnerability
    • Do not access, modify, or delete data belonging to other users
    • Do not publicly disclose until we've had time to address the issue
    • Give us reasonable time (90 days) to fix the vulnerability

    Recognition

    While we do not currently offer monetary bounties, we recognize and appreciate security researchers who help protect our platform:

    • Acknowledgment in our security hall of fame (with consent)
    • Public thanks and credit for responsible disclosure
    • Letter of appreciation for your resume/portfolio

    Defense-Only Policy

    Blackwall is a defensive security platform designed exclusively for threat reporting, abuse documentation, and brand protection. The platform must not be used for any offensive, retaliatory, or illegal purposes.

    Specifically, the following uses are strictly prohibited:

    • Using Blackwall to launch, facilitate, or coordinate cyberattacks
    • Submitting false or fabricated reports to harm competitors or individuals
    • Using OSINT investigation tools for stalking, harassment, or doxxing
    • Leveraging takedown mechanisms to suppress legitimate content or speech
    • Any activity that violates applicable laws (including CFAA, NIS2, GDPR)

    Violations of this policy will result in immediate account termination and may be reported to law enforcement authorities. All platform activity is subject to audit logging.

    Report a Vulnerability

    To report a security vulnerability, please contact us through our secureContact page with the subject line "Security Vulnerability Report".

    Please include as much detail as possible to help us understand and reproduce the issue. We will acknowledge receipt within 72 hours.

    Cookie Notice

    We use cookies to ensure the functionality of our website. Necessary cookies are required for operation. Optional cookies help us improve our services. For more information, see our Privacy Policy.