Free SEO by IBS Group
Legal

Report a vulnerability

Last updated: May 17, 2026

We take the security of Free SEO and the websites we audit very seriously. If you've found a security issue, thank you, and please tell us before telling anyone else. This page describes our responsible disclosure policy and what you can expect in return.

Email security reports to

support@interestbudsolutions.com

Subject line: Security report. For sensitive details, request our PGP key in your first message.

Our commitment to you

Acknowledgement in 2 business days

We'll confirm we received your report.

Triage in 5 business days

Severity, reproducibility and an initial plan.

Public credit

With your permission, in our Hall of Fame on this page.

What to include in your report

  • A clear description of the vulnerability and its impact.
  • Step-by-step instructions to reproduce, including URLs, requests and any required accounts.
  • Proof-of-concept code, screenshots or short screen recordings where helpful.
  • Your name or handle (if you want public credit) and a contact email.

Scope

The following assets are in scope:

  • freeseo.in and all subdomains
  • freeseo.lovable.app
  • Our public API endpoints under /api/public/*
  • The WordPress auto-fix integration

Out of scope

  • Findings from automated scanners without a working proof-of-concept.
  • Reports on missing HTTP security headers without a demonstrated impact.
  • SPF / DKIM / DMARC misconfigurations on non-email subdomains.
  • Self-XSS, clickjacking on pages with no sensitive actions, or CSRF on logged-out forms.
  • Vulnerabilities affecting only outdated browsers or platforms.
  • Rate limiting issues without a demonstrated security impact.
  • Issues in third-party services we use (please report those to the vendor directly, Cloudflare, Supabase, Paddle, Resend).
  • Reports of customer-owned websites we audit, please report those to the site owner.

Rules of engagement

Please do

  • Test only with accounts you own or have permission to test.
  • Use minimal data and stop as soon as impact is confirmed.
  • Give us a reasonable time to fix before public disclosure (90 days default).
  • Keep details of any vulnerability confidential until fixed.

Please don't

  • Access, modify or delete other users' data.
  • Run denial-of-service, brute force or load tests.
  • Use social engineering, phishing or physical attacks against staff or customers.
  • Publicly disclose the issue before we've shipped a fix.

Safe harbor

If you make a good-faith effort to comply with this policy during your security research, we will consider your research authorised, we will work with you to understand and resolve the issue quickly, and we will not pursue or support any legal action against you. Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorisation known.

Rewards

Free SEO does not currently run a paid bug bounty programme. We do offer public credit (with your permission) and complimentary Free SEO Pro credits as a thank-you for valid, original reports, at our discretion based on severity and quality.

Hall of fame

Researchers who have responsibly disclosed valid vulnerabilities will be listed here, with their permission. Want to be the first? Send us a report.