AUTOSEO← Security overview

Responsible disclosure

Found something? Tell us first.

Email security@autoseo.it.com with details. We acknowledge within 24 business hours and run a coordinated disclosure with you. Good-faith research is welcome — see the safe-harbor terms below.

Safe harbor

Good-faith testing under the scope below won't trigger legal action from Auto SEO. We won't share your identity without consent.

Fast response

24-hour acknowledgment, 3-day triage, severity-bound remediation SLA.

No bounty (yet)

We're bootstrapping the program. Hall-of-fame credit + swag now; cash bounty coming in 2026.

In scope

  • All Auto SEO production domains (autoseo.it.com, *.autoseo.it.com)
  • The Auto SEO web app, dashboard, and API endpoints
  • Webhook receiver endpoints (HMAC signature handling)
  • OAuth and integration token flows (WordPress, Shopify, Webflow, Ghost, etc.)
  • Customer-facing SSO and OIDC endpoints

Out of scope

  • Denial-of-service attacks (please don't)
  • Social engineering of Auto SEO staff or customers
  • Physical attacks against our offices or staff
  • Self-XSS (vulnerabilities requiring the victim to paste payloads into their own browser)
  • Already-known issues we've disclosed in our changelog

Our timeline

  1. Acknowledgment

    Within 24 business hours of receipt.

  2. Triage + severity rating

    Within 3 business days.

  3. Initial fix or mitigation

    Critical: 7 days. High: 14 days. Medium: 30 days. Low: 60 days.

  4. Coordinated disclosure

    After fix is deployed, we agree on a public-disclosure date with the reporter.

Submit a report

Include: a short summary, reproduction steps, an asset/URL, and your suggested severity. PGP key available on request.

Email security@autoseo.it.com