Security & Vulnerability Disclosure

Last updated: April 29, 2026

AdPlus stores OAuth credentials for ten advertising networks and operates campaigns on behalf of our users. Security is a first-order concern. We welcome reports from independent researchers who help us keep customer data and ad spend safe.

1. Reporting a Vulnerability

Send a detailed report to [email protected]. We do not pre-acknowledge findings or commit to rewards before details are shared — please include the technical specifics in your initial email so we can triage promptly.

If your report involves sensitive data exposure, you may request our PGP public key by email and we will provide it before you send the proof of concept. Encrypted submissions are not required for most issue classes.

2. What to Include

Reports without sufficient technical detail will not be acknowledged. A complete report contains:

• Vulnerability class (e.g., XSS, IDOR, SSRF, authentication bypass, OAuth token disclosure).
• Affected endpoint or URL, including HTTP method and any required parameters.
• Reproduction steps from a clean state — request payloads, sequence of actions, and expected vs. observed behavior.
• Proof of concept (request/response captures, scripts, screenshots, or a short video).
• Impact assessment: what an attacker can read, modify, or perform; which user accounts or data are at risk; whether authentication is required.
• Suggested mitigation, if you have one.

3. Scope

The following systems are in scope for security research:

• getadplus.com — marketing site, blog, public tools.
• app.getadplus.com — application frontend.
• api.getadplus.com — production API, including authenticated endpoints accessible from your own account.

Issues that demonstrate genuine impact on the confidentiality, integrity, or availability of customer data, OAuth credentials, ad spend, or AI agent behavior are taken seriously regardless of where they originate.

4. Out of Scope

The following are not considered vulnerabilities and will be closed without further action:

• Missing or misconfigured security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) on pages that do not handle authenticated user actions.
• Missing SPF, DKIM, or DMARC records on domains we do not send mail from.
• Clickjacking on pages with no sensitive state-changing actions.
• Self-XSS, or XSS that requires the victim to paste attacker-controlled content into their own browser.
• Rate-limit reports without a demonstrated attack scenario (resource exhaustion, account enumeration with measurable cost).
• Username or email enumeration via timing or response-difference signals.
• Open redirects without a demonstrated authentication or token theft scenario.
• Reports generated solely by automated scanners (Nessus, Burp Active Scan, Acunetix, Nuclei, etc.) without manual validation and a written impact analysis.
• Issues affecting only end-of-life browsers, unsupported software, or jailbroken/rooted devices.
• Denial-of-service attacks against production infrastructure. Do not attempt these — see Safe Harbor.
• Social engineering of AdPlus employees, contractors, or users.
• Physical attacks against AdPlus property or data centers.
• Findings in third-party services we integrate with (Google Ads, Meta, Stripe, SendGrid, etc.) — please report those to the relevant vendor.
• Findings against OAuth provider login flows themselves (Google, Microsoft, Meta, etc.).

5. Our Commitments

For reports that meet the requirements in Section 2 and fall within scope, we commit to:

• Acknowledgment within 3 business days.
• Initial triage with severity classification within 7 business days.
• Remediation timeline communicated for confirmed issues, with critical issues prioritized for same-week deployment.
• Disclosure coordination — we will work with you on a public disclosure timeline once a fix is deployed, typically 30–90 days from confirmation.

6. Recognition & Rewards

AdPlus does not currently operate a paid bug bounty program. We may revisit this as the company grows.

For valid reports we offer, with your permission:

• A credit on the Hall of Fame below, with a name and link of your choosing.
• A written acknowledgment letter for your security portfolio or résumé.
• Coordinated public disclosure crediting your work.

We do not respond to demands for payment in exchange for vulnerability details, nor to reports that are gated on a reward decision.

7. Safe Harbor

We consider security research conducted under the following conditions to be authorized, and we will not initiate or support legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, data destruction, and service interruption.
• Do not access, modify, or exfiltrate any account or data other than their own test accounts.
• Stop testing immediately and notify us upon discovery of a vulnerability that exposes another user's data.
• Do not use automated tools that generate excessive request volume or impair production performance.
• Do not perform denial-of-service testing, social engineering, or physical attacks.
• Provide us a reasonable period to investigate and remediate before public disclosure.

This safe harbor does not extend to actions that violate applicable law or that compromise other users' data, accounts, or ad spend.

8. Hall of Fame

We thank the following researchers for responsibly disclosing security issues to AdPlus.

No entries yet — be the first.