Skip to main content
Free PPC audit

Legal

Vulnerability Disclosure Policy

Effective: May 4, 2026

Marketing Bar LLC welcomes reports from security researchers and the wider community. This policy explains how to report a vulnerability, what is in scope, what is out of scope, and the safe-harbor commitments we make in return for good-faith research.

1. How to report

Email roman@marketing-bar.com with subject line starting with [SECURITY]. Please include:

  • a clear description of the issue and the affected URL or asset;
  • step-by-step reproduction instructions;
  • the impact you observed (or believe is achievable);
  • any proof-of-concept code, screenshots, or HTTP traces that help us reproduce.

If the report is sensitive, ask in your initial email and we will provide a PGP-encrypted channel for the follow-up.

2. In scope

  • marketing-bar.com — this marketing site
  • The Nitro server endpoints under this domain (/api/contact, /api/track, sitemap and OG image endpoints)

The Marketing Bar service itself (marketing-bar.com/reporting) and the Marketing Bar agency site (marketing-bar.com) are not in scope of this policy. Reports concerning those properties are still welcome at the same email address; we will route them internally and respond on the same timeline, but the scope and safe-harbor language below apply only to the marketing-site surface.

3. Out of scope

The following are not considered eligible vulnerabilities:

  • denial-of-service, distributed denial-of-service, or volumetric attacks of any kind;
  • social engineering of our team, customers, or service providers, including phishing;
  • physical attacks against our offices, hardware, or personnel;
  • attacks requiring physical access to a victim’s device, or that depend on credentials obtained outside the scope above;
  • findings limited to outdated browsers or software no longer receiving security updates;
  • missing security headers without a demonstrated exploitable impact (please report with a working PoC);
  • reports based solely on automated scanner output without verification;
  • vulnerabilities in our third-party service providers (Vercel, Resend, Upstash, Google, Meta, LinkedIn, Microsoft) — please report those directly to the provider.

4. Rules of engagement

While testing, we ask that you:

  • only target the assets in Section 2;
  • do not access, modify, exfiltrate, or destroy data that does not belong to you;
  • do not pivot beyond the initial finding to test other systems;
  • stop testing and notify us immediately if you encounter personal data, credentials, or other sensitive information;
  • do not perform actions that could degrade availability for other users (no fuzzing the contact form, no high-rate scanning);
  • do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate (see Section 6).

5. Safe harbor

If you make a good-faith effort to comply with this policy during your research, Marketing Bar LLC will:

  • not pursue or support any legal action against you for your research;
  • work with you to understand and resolve the issue quickly;
  • recognize your contribution if you are the first to report a previously unknown issue (see Section 7).

This safe-harbor commitment covers civil claims under the Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, plus equivalent state laws, to the extent we are able to waive them. It does not cover actions that violate applicable law in your own jurisdiction or that breach the out-of-scope rules in Section 3.

6. Coordinated disclosure

Our timeline for typical reports:

  • Within 1 business day — we acknowledge receipt of your report.
  • Within 5 business days — we provide an initial triage with severity assessment and expected remediation window.
  • Within 90 days — remediation for vulnerabilities we accept as in-scope, unless the issue is structurally complex and we agree on a longer window with you.

We ask that you keep the issue confidential until remediation is complete or 90 days have passed, whichever is sooner. We are happy to publish a coordinated disclosure together once the fix is live.

7. Recognition

We do not currently run a paid bug-bounty program. We will, with your permission, credit you on this page for valid first reports that we accept and remediate. If you would prefer to remain anonymous, let us know in your initial email.

8. Contact

Security questions, vulnerability reports, or anything else covered by this policy: roman@marketing-bar.com.