Security Policy

ShellPDFs provides privacy-first PDF tools for documents and webpages. We welcome responsible reports from security researchers who discover vulnerabilities that could affect our users, infrastructure, or document-processing workflows.

How to Report a Vulnerability

Email security reports to [email protected]. Include a clear description of the issue, affected URL or endpoint, reproduction steps, expected impact, and any relevant screenshots, request logs, or proof-of-concept details.

Please do not include live user documents, credentials, secrets, or personal data in your report. If a finding requires a sample file, use a synthetic test document that contains no sensitive information.

Scope

In-scope reports include vulnerabilities affecting ShellPDFs web pages, API routes, authentication flows, file upload and download handling, browser-based PDF tools, temporary cloud-processing workflows, rate limits, URL validation, and document cleanup behavior.

Out-of-scope reports include social engineering, physical attacks, spam, denial-of-service testing, automated scanner output without demonstrated impact, missing non-critical security headers, and issues affecting third-party services outside ShellPDFs control.

Testing Rules

Keep testing limited, non-destructive, and tied to accounts or files you control. Do not attempt to access, modify, exfiltrate, or delete another user's data. Do not disrupt service availability, bypass payment or usage limits for real use, or run high-volume automated tests without prior written permission.

If you encounter data that does not belong to you, stop testing immediately and report only the minimum information needed for us to investigate.

Our Response Process

We review security reports as quickly as possible and may follow up for clarification or additional reproduction details. We prioritize findings based on practical impact, exploitability, affected users, and whether sensitive documents or account data could be exposed.

We do not currently operate a paid bug bounty program. Submitting a report does not create an employment, contractor, or compensation relationship with ShellPDFs.

Safe Harbor

We will not pursue legal action against researchers who make a good-faith effort to follow this policy, avoid privacy violations, avoid service disruption, and report vulnerabilities promptly. This safe harbor does not apply to unlawful activity, extortion, public disclosure before remediation, or testing that harms ShellPDFs users or systems.

Related Policies

For details about document handling, temporary file deletion, analytics, advertising, and privacy requests, read our Privacy Policy.