Security Disclosure Policy

Last updated: March 18, 2026

The security of CodeRecon and its users is important to us. We welcome reports from security researchers and the community. If you believe you have found a security vulnerability, please report it responsibly as described below.

Reporting a vulnerability

Please email your findings to security@coderecon.com. Include as much detail as possible: steps to reproduce, affected endpoints or components, and the potential impact. We will acknowledge your report within 3 business days.

Scope

The CodeRecon web application and API at coderecon.com.
The MCP server endpoint.
Authentication and authorization mechanisms.

The following are out of scope: third-party services (Stripe, Railway), denial-of-service attacks, social engineering, and automated scanning without prior coordination.

Safe harbor

We support safe harbor for security researchers who act in good faith. We consider activities conducted consistent with this policy to be authorized and will not pursue legal action against you for security research conducted in accordance with this policy. We ask that you:

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or with explicit permission of the account holder.
Do not exploit a vulnerability beyond what is necessary to demonstrate it.
Report vulnerabilities as soon as you discover them.
Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

What to expect

Acknowledgement of your report within 3 business days.
Regular updates on our progress toward a fix.
Credit in any public disclosure, if you would like it.

Safe harbor language adapted from disclose.io, available under CC0.