Built with security in mind
WebHound is a passive, authorized website security platform. Here's how we operate safely and how to reach our security team if you find an issue with WebHound itself.
Our security policy
Passive scanning only
WebHound never modifies your site, exploits weaknesses, or makes authenticated requests. Every scan is read-only and safe to run against production.
No credential storage
We never store passwords, API keys, or session tokens. Scans are performed against the public-facing URL only.
Authorized targets only
By using WebHound you confirm you own or are authorized to scan the target URL. Scanning unauthorized targets violates our terms and potentially the law.
Data handling
Scan results are stored securely and accessible only to your account. We do not sell or share scan data with third parties.
Responsible disclosure
How to report a vulnerability
If you discover a security issue in WebHound, please report it privately before any public disclosure. Send a clear, reproducible report to:
security@webhoundsecurity.comPlease include: a description of the issue, the affected component or URL, step-by-step reproduction, the impact you observed, and (if you have it) a proposed remediation. Encrypted submissions welcome — request our PGP key in your first message.
Expected response times
We commit to triage and respond on the following targets. Severity is assessed using CVSS 3.1 alongside the operational impact on WebHound or our customers' data.
Safe harbor
We will not pursue or support legal action against you for security research conducted in good faith against WebHound, provided you:
- Make a good-faith effort to avoid privacy violations, degradation of service, and disruption to other users.
- Only test against your own WebHound account or accounts you are explicitly authorized to test.
- Do not exfiltrate, modify, or destroy data that is not yours.
- Give us a reasonable opportunity to address the issue before any public disclosure.
- Comply with all applicable laws.
This safe-harbor commitment does not authorize testing against third-party services that WebHound integrates with. Each integrated service has its own disclosure policy and authorization rules.
Out of scope
Reports about social engineering, physical security, denial-of-service, spam, or issues that require an attacker to be in privileged network positions are generally out of scope. Reach out anyway if you're not sure — we'd rather hear about it.