Responsible Disclosure

Dorklist is built for legitimate OSINT, bug bounty, pentesting, and security research. If you believe you found a vulnerability in Dorklist itself, we appreciate responsible, good-faith reporting.

We will not pursue action against good-faith researchers who follow this policy, avoid harm, and give us a reasonable opportunity to investigate and remediate before public disclosure.

• Test only Dorklist-owned systems and accounts you control.
• Do not access, modify, delete, or exfiltrate other users’ data.
• Do not perform denial-of-service, spam, social engineering, or physical attacks.
• Do not attempt persistence, malware deployment, credential theft, or lateral movement.
• Stop testing and report immediately if you encounter sensitive data.

• A clear summary of the issue and its potential impact.
• Exact reproduction steps, affected URL or feature, and proof-of-concept details.
• Screenshots, request/response snippets, or logs with secrets and user data redacted.
• Your preferred contact information for follow-up.

• Automated scanner noise without a working exploit or clear impact.
• Missing security headers with no demonstrated risk.
• Issues requiring compromised user devices, browsers, extensions, or email accounts.
• Social engineering, phishing, spam, or attacks against third-party services.

Please allow a reasonable remediation window before public disclosure. We will make a good-faith effort to acknowledge valid reports, investigate quickly, and keep you updated when practical.

Send vulnerability reports through the contact channel listed on Dorklist or in account communications. If a dedicated security email is added later, this page will be updated with the preferred address.