Shelltag’s Responsible Disclosure

At Shelltag, we take the security of our systems seriously, and it is our constant endeavour to make our website a safe place for our customers to browse. We take the security of our systems seriously, and we value the security community. Responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

In case when some security researcher or member of the general public identifies a vulnerability in our systems, and responsibly shares the details of it with us, we appreciate their contribution, work closely with them to address such issues with urgency, and if they want, publicly acknowledge their contribution.


Reporting Security Vulnerabilities

If you believe you’ve found a security vulnerability in our software please email it to It will be very valuable to us, if you can include the following details in your email submission:

  •          Description of the location and potential impact of the vulnerability;
  •          Steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
  •          We will usually respond with an acknowledgement within 96 hours. We request you to adhere to the principles of responsible disclosure which are, but not limited to
  •          Access and expose customer data that is your own.
  •          Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site).
  •          Keep within the guidelines of our Terms Of Service.
  •          Keep details of vulnerabilities secret until the Shelltag security team has been notified and had a reasonable amount of time to fix the vulnerability.
  •          Refrain from Public Disclosure
  •          Taking into consideration the safety of our customers/users please do not publish any security vulnerabilities. We expect to fix all security issues within 30 days from the date of the reported security issue. Once an issue has been fixed we will explicitly acknowledge your contributions and at which time you are free to publish your work.


Rewards & Recognition

You will receive recognition and/or a reward depending on various factors like :

  •          You are the first person to report the vulnerability.
  •          The vulnerability level of the reported issue.
  •          You have complied with our guidelines.


We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we would be glad to publicly acknowledge your contribution in this section on our website. Of course, this will be done if you want a public acknowledgement.

If you prefer to remain anonymous, we encourage you to use pseudonym when reporting.