Security & Trust

Built with security in mind

WebHound is a passive, authorized website security platform. Here's how we operate safely and how to reach our security team if you find an issue with WebHound itself.

Our security policy

Passive scanning only

WebHound never modifies your site, exploits weaknesses, or makes authenticated requests. Every scan is read-only and safe to run against production.

No credential storage

We never store passwords, API keys, or session tokens. Scans are performed against the public-facing URL only.

Authorized targets only

By using WebHound you confirm you own or are authorized to scan the target URL. Scanning unauthorized targets violates our terms and potentially the law.

Data handling

Scan results are stored securely and accessible only to your account. We do not sell or share scan data with third parties.

Responsible disclosure

How to report a vulnerability

If you discover a security issue in WebHound, please report it privately before any public disclosure. Send a clear, reproducible report to:

security@webhoundsecurity.com

Please include: a description of the issue, the affected component or URL, step-by-step reproduction, the impact you observed, and (if you have it) a proposed remediation. Encrypted submissions welcome — request our PGP key in your first message.

Expected response times

We commit to triage and respond on the following targets. Severity is assessed using CVSS 3.1 alongside the operational impact on WebHound or our customers' data.

CriticalAcknowledged within 24 hours · resolved within 7 days
HighAcknowledged within 48 hours · resolved within 14 days
MediumAcknowledged within 5 business days · resolved within 30 days
LowAcknowledged within 10 business days · resolved on a best-effort basis

Safe harbor

We will not pursue or support legal action against you for security research conducted in good faith against WebHound, provided you:

  • Make a good-faith effort to avoid privacy violations, degradation of service, and disruption to other users.
  • Only test against your own WebHound account or accounts you are explicitly authorized to test.
  • Do not exfiltrate, modify, or destroy data that is not yours.
  • Give us a reasonable opportunity to address the issue before any public disclosure.
  • Comply with all applicable laws.

This safe-harbor commitment does not authorize testing against third-party services that WebHound integrates with. Each integrated service has its own disclosure policy and authorization rules.

Out of scope

Reports about social engineering, physical security, denial-of-service, spam, or issues that require an attacker to be in privileged network positions are generally out of scope. Reach out anyway if you're not sure — we'd rather hear about it.