E:LAB
← E:LAB Studio
Responsible Disclosure

Responsible disclosure

Last updated · 2026-05-08

This document describes the audit scope of E:LAB Studio's tools and services, how we use external data, where our liability ends, and how to report security issues in our own systems.

1. Security audit scope

  • Our Security audit only runs against sites whose domain ownership has been verified. Unverified domains are never scanned.
  • Most scanners are passive — they analyse public responses and metadata only.
  • A handful of active checks exist, governed by the following rules:
    • Rate limited (≤ 30 requests per minute)
    • No attempt to mutate user data
    • Only non-destructive payloads
    • Full audit completes within 45 seconds

2. SEO / GEO audit scope

  • SEO / GEO audits read only public pages — meta, OG, structured data, and headers. Pages behind authentication are out of scope.
  • Scores are computed from our internal rulebook, which may evolve over time.
  • A high score does not guarantee search / AI exposure, and a low score does not block exposure outright. Scores are signals for prioritising improvements.

3. External data usage

  • OSV.dev: public data used for matching JavaScript library CVEs.
  • Google Safe Browsing: public API used to check domain-blocking status.
  • Google Analytics: anonymised usage statistics.
  • Google OAuth: login authentication.
  • LemonSqueezy: payment processing.
  • Anthropic: model calls for some AI suggestion features (parts of audit results may be sent to the model).

Beyond these sub-processors, we do not send your site information to any external system.

4. Limits of liability

  • Our tool output alone is not a complete proof of site security or search exposure.
  • The Security audit only analyses publicly exposed signals. It cannot catch every risk in your internal code, server configuration, or operations.
  • For deep penetration testing, hire a dedicated security firm.
  • Decisions based on SEO / GEO results are your responsibility, and outcomes can shift with search-engine / AI algorithm changes.

5. Reporting vulnerabilities in our own systems

If you find a security issue in E:LAB Studio's tools / services (elab-studio.com and adjacent subdomains), please report it as follows.

  1. Send the issue, reproduction steps, and impact range to gdode2080@gmail.com.
  2. We acknowledge receipt within an average of 48 hours.
  3. We prioritise patches by severity and publish a post-mortem after the patch ships.

For a faster response, please:

  • Do not access real user data.
  • Do not harm service availability (no bulk automated attacks).
  • Hold off on public disclosure until the patch ships.

6. Triage priority

  • Critical: auth bypass, user-data exposure, infrastructure takeover → patch starts within 24 hours
  • High: privilege escalation, payment bypass → patch within 3 business days
  • Medium / Low: information disclosure, UX defects → reviewed and a schedule shared within 14 business days

7. Reward

We do not run a formal bug-bounty program. For meaningful reports, we offer a Hall-of-Fame listing or an appropriate token of thanks.