Security

Contact

For security issues, email security@screenshotmcp.com. We aim to acknowledge reports within one business day and will keep you updated through triage, remediation, and disclosure. Please do not file public GitHub issues for suspected vulnerabilities.

Responsible disclosure

• Give us a reasonable window to triage and remediate before any public disclosure.
• Do not access data that does not belong to your account, or attempt denial-of-service testing against shared infrastructure.
• Do not exfiltrate or retain user data you encounter during testing.
• We do not currently run a paid bug bounty, but we will publicly credit researchers who follow this policy.

Data protection

• All API traffic is TLS-terminated; internal calls use mutually authenticated shared secrets.
• Customer API keys are stored hashed (SHA-256); the raw key is never retrievable once issued.
• Screenshots and recordings are uploaded to object storage with short-lived signed URLs for retrieval.
• Console logs and network events captured during runs are scoped to the authenticated user and are never shared across accounts.

Operational transparency

Every API response includes a X-Request-ID you can include when contacting support. Production health is continuously monitored and published on /status. Customer-visible product changes ship through /changelog.