You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

Security

Security is a top priority for Socket. We believe that working with security researchers is crucial in making the internet safe for all.

Coordinated Disclosure Policy

If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly. Thanks in advance!

Bounty Schedule

This is approximately how much we expect to pay for reports. Understand that this is a guide – it's meant to help set expectations.

  • $0 — We're aware of this, or we don't see it as a security issue.
  • $50 — A minor security problem. It doesn't present much risk. It's likely not getting fixed in the next release.
  • $500 — Definitely a real problem that puts users at risk. We will ship a fix in a scheduled release.
  • $1000 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems – but if we do, we really want to hear about them.

Disclosure Policy

  • If you believe you've discovered a potential security issue, please let us know by emailing us at security@socket.dev. We will acknowledge your email within five business days. Please only use this address to report security flaws and not for general product support.

  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

  • If you would like to send us an encrypted report, email us with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it on this page.

  • We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.

Scope

The following are explicitly in scope for this program:

  • socket.dev and all its subdomains (except CNAME subdomains such as feedback.socket.dev)
  • socketusercontent.com and all its subdomains

Exclusions

While researching, we'd like you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Socket employees or contractors
  • Any physical attempts against Socket's physical property or data centers

Thank you for helping to keep our users safe!

Safe Harbor

If you make a good faith effort to comply with this Policy, we will not pursue legal action against you with respect to your research conducted in compliance with this Policy. We consider research conducted in accordance with this Policy to be:

  • Authorized in view of any applicable anti-hacking laws (including by not limited to Computer Fraud and Abuse Act (CFAA) (and/or similar state laws)), and we will not initiate or pursue legal action against you for accidental, good faith violations of this Policy;
  • Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from Digital Millennium Copyright Act (DMCA) with respect to the circumvention of the technological measures and controls we have used to protect our applications;
  • Exempt from any restrictions in our Terms of Use that would prohibit such research, and we waive those restrictions on a limited basis for research conducted in accordance with this Policy; and
  • Conducted in good faith.

You are expected, as always, to comply with all applicable laws; Permission granted by Socket in this section does not exempt you from those laws.

We understand that Socket is interconnected with third-party systems and services. While we have the ability to authorize your research on Socket's systems and services, we cannot authorize any research on third-party systems or services. If legal action is initiated by a third party against you and you have complied with this Policy, we will take steps to make it known that your actions were conducted in compliance with this Policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report to security@socket.dev before proceeding with such research.

Third Party Safe Harbor

If you submit a report in accordance with this Policy which affects a third party service we may be required or have an obligation to share certain information with the affected third party. For example, we may share non-identifying content from your report with an affected third party. Except as required by law, we will not share your identifying information with any affected third party without first notifying you.

Please note that we cannot authorize out-of-Scope testing in the name of third parties, and such testing is beyond the Scope of our Policy. Please contact any third party either directly or through a legal representative, or refer to such third party’s vulnerability disclosure Policy before initiating any testing on that third party or their services. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third party action based on your actions.

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available here.

Updated July 22, 2025.