99.9% success rate Google Search API

Try it now Try it now
ScrapingBee logo

Vulnerability Disclosure Policy

Effective date: May 25th, 2026

1. Introduction

ScrapingBee is committed to safeguarding its infrastructure and the data of its customers. We recognize the valuable contribution that security researchers make to the wider security community and we welcome reports of suspected vulnerabilities under the terms set out in this Vulnerability Disclosure Policy (the "Policy").

By submitting a report to ScrapingBee, researchers acknowledge that they have read, understood, and agreed to the terms of this Policy.

This Policy provides guidelines for conducting security research against ScrapingBee assets and describes our preferred method for receiving and handling vulnerability submissions.

2. In-scope systems

The following domains and subdomains are authorized for security testing under this Policy:

  • scrapingbee.com
  • dashboard.scrapingbee.com

Any service not explicitly listed above, such as other subdomains, internal services, and vendor services that integrate with ScrapingBee but are operated by other companies, is out of scope and not authorized for testing. Vulnerabilities affecting third-party services should be reported directly to the relevant vendor.

If you are unsure whether a target falls within the scope of this Policy, please contact us at security@scrapingbee.com before testing.

3. Out-of-scope vulnerabilities

The following findings are generally not considered valid vulnerabilities and will not qualify for a reward:

  • Network-level Denial of Service (DoS / DDoS) attacks
  • Application-level Denial of Service through account locking
  • Descriptive error messages or verbose headers (e.g. stack traces)
  • Disclosure of known public files or directories (e.g. robots.txt, sitemap.xml)
  • Reports indicating outdated software versions without a working proof-of-concept demonstrating exploitability
  • Use of HTTP OPTIONS or TRACE methods
  • CSRF on logout endpoints or on forms available to anonymous users
  • Non-sensitive cookies missing the Secure or HttpOnly flags
  • Self-XSS, including issues exploitable only via Self-XSS
  • Attacks requiring physical access to a user's device
  • Username or email enumeration
  • Missing brute force, rate limiting, or account lockout controls without a demonstrated impact
  • SSL/TLS best practice deviations (e.g. weak ciphers, missing HSTS)
  • SSL attacks such as BEAST, BREACH, or renegotiation issues
  • Clickjacking without a documented, exploitable security impact
  • Email-related configuration issues (SPF, DKIM, DMARC)
  • Reports of known-vulnerable libraries without a working, implementation-specific exploit
  • Password recovery or reset policy concerns
  • Form autocomplete behavior
  • Lack of email verification during registration or password recovery
  • Session not invalidated after password or email change

4. Authorization and safe harbor

Any good-faith effort to comply with this Policy and the "do no harm" principle during security research will be considered authorized. We will work to understand and address any issue submitted to us. If you conduct security research and disclose vulnerabilities in good faith and in compliance with this Policy, ScrapingBee will:

  • Consider your research to be authorized under applicable anti-hacking laws;
  • Consider your research to be authorized under applicable anti-circumvention laws, and will not bring a claim against you for circumvention of technology controls;
  • Waive any restrictions in our Acceptable Use Policy that would otherwise prohibit such research, for the limited purpose of complying with this Policy;
  • Consider your research lawful, helpful to the overall security of the internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If a third party initiates legal action against you in connection with research conducted in good faith and in compliance with this Policy, ScrapingBee will take steps to make it known that your actions were authorized under this Policy.

5. Research guidelines

When carrying out security research under this Policy, you must:

  • Notify ScrapingBee as soon as possible after you discover a real or potential security issue;
  • Only test vulnerabilities using accounts that you own or accounts for which you have explicit written permission to test with;
  • Avoid submitting a high volume of low-quality reports;
  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

If at any point during your research you encounter information belonging to a third party — including personally identifiable information, financial information, proprietary information, or trade secrets of any party — you must stop testing immediately, refrain from accessing or storing additional data, and notify ScrapingBee at security@scrapingbee.com without disclosing the data to anyone else.

Prohibited conduct

The following activities are strictly prohibited under this Policy:

  • Any action that harms ScrapingBee, its customers, or its users, including but not limited to spam, brute force attacks, or denial-of-service;
  • Use of automated vulnerability scanners or other automated tooling that generates significant traffic;
  • Automated testing is permitted only for the purpose of verifying a specific exploit, and must not exceed six (6) requests per second. Specialized custom scripts and targeted fuzzing tools are also permitted under the same rate limit;
  • Accessing, or attempting to access, data or information that does not belong to you;
  • Modifying, destroying, or corrupting data or information that does not belong to you, or attempting to do so;
  • Retention of any personally identifiable information obtained during testing. Any such information must be permanently deleted from your devices and storage;
  • Exploitation beyond what is strictly necessary to demonstrate the vulnerability (proof-of-concept only). This means testing must stop immediately after you have confirmed initial access or impact;
  • Physical or electronic attacks against ScrapingBee personnel, offices, or property;
  • Social engineering of ScrapingBee employees, contractors, or customers;
  • Demanding financial compensation outside the terms of this Policy.

6. Reporting a vulnerability

Reports must be sent by email to security@scrapingbee.com. You may submit reports anonymously; reports submitted to ScrapingBee will only be used for defensive purposes — to investigate and remediate the issue.

Information to include

To help us triage and resolve the issue quickly, please include the following in your report:

  • A clear description of the vulnerability, including how it can be exploited and the potential impact;
  • The affected URL(s), endpoint(s), or parameter(s);
  • The IP address(es) you used during testing;
  • Step-by-step instructions to reproduce the issue;
  • A proof-of-concept (video, screenshots, or a small script);
  • Any files you attempted to upload as part of the test.

Reports missing this information may take longer to triage and may affect any reward decision.

Our commitment to you

When you share your contact details with us, we commit to:

  • Acknowledging receipt of your report within three (3) to four (4) business days;
  • Confirming the existence of the vulnerability to the best of our ability and keeping an open line of communication;
  • Keeping you informed of our progress as we work to remediate the issue;
  • At our sole discretion, recognizing valid reports based on the criticality, exploitability, and overall risk of the finding.

Disclosure timeline

You must not disclose the vulnerability to any other party for at least sixty (60) days after submitting your report. This allows us sufficient time to triage, remediate, and notify affected parties where necessary. We may request an extension if full remediation requires additional time.

7. Important notes

  • By submitting a vulnerability report, you acknowledge that you have no expectation of payment, and that any reward or recognition issued in response to your submission is granted entirely at the discretion of ScrapingBee;
  • By submitting a report, you acknowledge that your submission is voluntary and that you agree to be bound by this Policy;
  • For any clarification regarding this Policy or the scope of permitted research, please contact us at security@scrapingbee.com before carrying out any testing.

8. Modifications

ScrapingBee reserves the right to modify this Policy at any time. Any updates will be published on this page and will take effect immediately upon publication.