Home Features Pricing Documentation Services Contact DOWNLOAD
← Back to docs

Security disclosure

How to report a security vulnerability in SiteCMD, what we promise, and our timeline for responses.

If you’ve found a security issue in SiteCMD, this page tells you how to tell us, what we’ll do about it, and what you can expect in return.

We take security seriously because SiteCMD is, by design, the app on your machine that knows where all your bodies are buried. A scan of your site is a catalog of what’s wrong with it. We’re acutely aware of what that means.

Scope

We want to hear about:

  • Vulnerabilities in the SiteCMD desktop app (Tauri shell, Rust backend, React frontend).
  • Vulnerabilities in the SiteCMD CLI (sitecmd binary, embedded check engine).
  • Vulnerabilities in the SiteCMD MCP server (sitecmd-mcp).
  • Vulnerabilities in the SiteCMD release infrastructure (signing, update endpoint, distribution).
  • Vulnerabilities in the SiteCMD marketing site (sitecmd.com) that have real impact (XSS that leaks license keys, etc., not theoretical clickjacking on a static page).

We don’t consider these scope (please don’t report):

  • Findings the SiteCMD scan itself would surface (CSP report-only mode, missing security headers on the marketing site, etc.). These aren’t bugs; they’re product output.
  • “Your app makes network requests” reports. We document every network request we make in Privacy & data; if you find one we haven’t documented, that’s a real report.
  • Brute-force or denial-of-service against our public endpoints. We rate-limit and we don’t want to hear about it.
  • Social engineering attempts against our team or customers.
  • Anything that requires already having root on the target machine.

How to report

Email security@sitecmd.com with:

  1. A description of the issue
  2. Steps to reproduce
  3. The impact you believe it has
  4. Your name and how you’d like to be credited (or “anonymous”)

Encrypt the email with our PGP key if the report is highly sensitive. The key is published at https://sitecmd.com/.well-known/security.txt.

We don’t currently run a paid bug bounty. We do credit reporters publicly in our changelog and on a security advisories page (if you want credit; we’ll also respect “anonymous”).

What we promise

When you send us a report, you’ll get:

  • An acknowledgment within 3 business days. A human will reply to confirm we received it.
  • A triage decision within 7 business days. “Yes, this is a real issue, here’s our planned timeline” or “We don’t consider this a vulnerability, here’s why.”
  • Regular updates until the issue is resolved. Typically every 1-2 weeks.
  • Public credit when we ship the fix, if you want it.
  • A clear advisory when we ship the fix, describing what was vulnerable, who’s affected, and what users need to do.

We do not threaten legal action for good-faith research. If you’re poking at SiteCMD to find security issues and you don’t disrupt other users or violate the law, we’re grateful, not adversarial.

Disclosure timeline

We aim to ship fixes within 30 days of confirmed severity-high or higher issues, and within 90 days for lower-severity findings. Some fixes take longer (deep architectural issues, dependencies that need upstream changes); we’ll communicate when that happens.

We ask that you delay public disclosure until we’ve shipped a fix, or until 90 days have passed (whichever comes first). If we go past 90 days without action, you’re free to disclose. We won’t be upset; that timeline exists precisely so reporters don’t get stuck.

What to do while waiting

While we’re working on a fix:

  • Don’t share the vulnerability details publicly.
  • Don’t exploit the vulnerability against users other than yourself.
  • Feel free to discuss the existence of an unresolved issue in general terms (“I’m working with the SiteCMD team on a security issue”) but not the specifics.

If you need to disclose to a specific party (e.g., your security team, your employer), that’s fine; ask us to coordinate if it’s anything beyond your immediate team.

CVE assignment

For confirmed vulnerabilities with real-world impact, we’ll request a CVE through MITRE or the relevant CNA. We’ll share the CVE number with you and credit you in the advisory unless you’ve asked to be anonymous.

Not every issue gets a CVE. Low-impact findings, internal-only bugs, and infrastructure problems typically don’t. We’ll tell you whether we’re pursuing a CVE in the triage response.

Past advisories

A list of resolved security advisories will live at https://sitecmd.com/security/advisories once we have any to publish. As of the current writing, this is empty.

Why we have this page even before launch

SiteCMD is pre-launch, but the codebase is real, the auto-updater is signed, the desktop app and CLI exist, and someone could find an issue today. We’d rather have this page up early than realize, six months in, that no one knew where to report a vulnerability.