Security disclosure policy
Last updated 2026-05-18
Our coordinated vulnerability disclosure policy. Tells you where to send findings, what we treat as in and out of scope, the safe-harbor commitments we make to researchers who follow this policy, and how quickly we respond.
How to report
Send the report to . Include a summary, the affected asset, steps to reproduce against your own tenant, what you observed, and what you believe the impact is. PGP is available via our security.txt for sensitive findings. We acknowledge every report within two business days and send a status update at least every two weeks until the case is closed.
In scope
These assets are open to research under this policy. Test against tenants you create yourself; defects that would expose another tenant are in scope, but stop reading the data the moment you have proof.
| Asset | Type | Coverage | Max. severity | Credit |
|---|---|---|---|---|
cookielint.com Marketing site, this policy, hall of fame, public scanner landing | Web | In scope | Critical | Eligible |
app.cookielint.com Dashboard, banner editor, settings, audit log, consent receipts | Web | In scope | Critical | Eligible |
api.cookielint.com REST API, OpenAPI at /docs, public banner delivery endpoints | API | In scope | Critical | Eligible |
cdn.cookielint.com Banner JS bundle, banner config, service worker, declaration script | CDN | In scope | Critical | Eligible |
Banner runtime The CookieLint JS that evaluates inside customer sites at runtime | Runtime | In scope | Critical | Eligible |
cookielint.com/scanner Unauthenticated public cookie scanner and its public report pages | Web | In scope | High | Eligible |
CookieLint Chrome extension Latest published build on the Chrome Web Store | Browser extension | In scope | High | Eligible |
Out of scope
We close these as informational. If a finding affects a service or library we use, send it upstream so the fix reaches everyone who depends on it.
| Item | Type | Coverage | Reason |
|---|---|---|---|
| Third-party services | Upstream vendor | Out of scope | Report directly to the upstream provider |
| Open-source dependencies | Upstream code | Out of scope | Report upstream; we track CVE feeds |
| Self-XSS | Finding class | Out of scope | Requires the victim to paste payloads |
| Clickjacking on inert pages | Finding class | Out of scope | No sensitive action to frame |
| Missing security headers | Finding class | Out of scope | Informational without demonstrated impact |
| Missing rate limits | Finding class | Out of scope | Endpoints with no authentication state to protect |
| Version disclosure | Finding class | Out of scope | Dependencies are already pinned |
| Automated-scanner output | Report quality | Out of scope | Needs a working proof of concept |
| Denial-of-service | Attack class | Out of scope | Volumetric attacks are not authorised |
| Social engineering | Attack class | Out of scope | CookieLint staff and customers are off-limits |
| Phishing simulations | Attack class | Out of scope | Not authorised under this policy |
Rules of engagement
Test against your own tenant. Do not access, copy, or modify data belonging to other tenants. Cap automated traffic at one request per second per endpoint. Stop testing the moment you have a working proof of concept. Do not pivot from one finding into other systems. Report by email before any public disclosure, social-media post, or talk submission.
Safe harbor
Security research conducted in good faith under this policy is:
- authorised under any applicable anti-hacking laws (including the US Computer Fraud and Abuse Act and the UK Computer Misuse Act); we will not initiate or support legal action against you for accidental, good-faith breaches of this policy
- authorised under any applicable anti-circumvention laws (including the DMCA); we will not bring a claim against you for circumvention of technology controls
- exempt from the restrictions in our Terms of Service that would otherwise interfere with security research, on a limited basis for the purpose of this policy
- treated as lawful, conducted in good faith, and useful to the safety of our users
You are responsible for compliance with applicable law. If you are unsure whether your planned testing is consistent with this policy, before you act, and we will respond within two business days. This section adapts the disclose.io Gold Standard Safe Harbor template; the operative interpretation is ours and applies only to research against CookieLint-controlled assets.
Disclosure timeline
Target time-to-fix from initial valid report: 30 days for critical-severity, 90 days for high-severity, 180 days for medium and low. If we need longer we explain the reason before the deadline passes. Public disclosure is coordinated with the reporter; the default is 90 days from the initial report or after a fix has been deployed to production, whichever is later.
Acknowledgments
Researchers who report a valid issue can opt to be credited in our hall of fame. We list under real name, handle, or anonymous, whichever you prefer, and we never publish researcher contact details without explicit permission.
security.txt
Machine-readable contact details (RFC 9116) at /.well-known/security.txt.