Security is a top priority for Socket. We believe that working with security researchers is crucial in making the internet safe for all.
If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly. Thanks in advance!
This is approximately how much we expect to pay for reports. Understand that this is a guide – it's meant to help set expectations.
If you believe you've discovered a potential security issue, please let us know by emailing us at security@socket.dev. We will acknowledge your email within five business days. Please only use this address to report security flaws and not for general product support.
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
If you would like to send us an encrypted report, email us with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it on this page.
We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.
The following are explicitly in scope for this program:
socket.dev
and all its subdomains (except CNAME subdomains such as feedback.socket.dev
)socketusercontent.com
and all its subdomainsWhile researching, we'd like you to refrain from:
Thank you for helping to keep our users safe!
If you make a good faith effort to comply with this Policy, we will not pursue legal action against you with respect to your research conducted in compliance with this Policy. We consider research conducted in accordance with this Policy to be:
You are expected, as always, to comply with all applicable laws; Permission granted by Socket in this section does not exempt you from those laws.
We understand that Socket is interconnected with third-party systems and services. While we have the ability to authorize your research on Socket's systems and services, we cannot authorize any research on third-party systems or services. If legal action is initiated by a third party against you and you have complied with this Policy, we will take steps to make it known that your actions were conducted in compliance with this Policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report to security@socket.dev before proceeding with such research.
If you submit a report in accordance with this Policy which affects a third party service we may be required or have an obligation to share certain information with the affected third party. For example, we may share non-identifying content from your report with an affected third party. Except as required by law, we will not share your identifying information with any affected third party without first notifying you.
Please note that we cannot authorize out-of-Scope testing in the name of third parties, and such testing is beyond the Scope of our Policy. Please contact any third party either directly or through a legal representative, or refer to such third party’s vulnerability disclosure Policy before initiating any testing on that third party or their services. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third party action based on your actions.
We may revise these guidelines from time to time. The most current version of the guidelines will be available here.
Updated July 22, 2025.