Security

Updated: June 2026

Reporting a vulnerability

If you believe you have found a security vulnerability in HTMLvault, please report it to us via email. We ask that you do not disclose the issue publicly until we have had a reasonable opportunity to investigate and address it.

Send reports to [email protected]. We aim to acknowledge reports within 2 business days and to provide a resolution timeline within 7 business days of confirming the issue.

What to include

A clear description of the vulnerability and its potential impact
Steps to reproduce the issue (proof of concept if possible)
The affected URL, endpoint, or component
Any relevant screenshots, request/response logs, or payloads

Our commitments

We will not pursue legal action against researchers acting in good faith
We will acknowledge receipt within 2 business days
We will keep you informed of our progress toward a fix
We will credit you in our release notes if you wish

Scope

Reports are in scope for:

htmlvault.dev and all subdomains
htmlvault.io — link serving domain
hvlt.io — branded subdomain hosting
The HTMLvault REST API and MCP server

Out of scope: denial-of-service attacks, social engineering, physical security, or issues in third-party dependencies that are not exploitable in our context.

Integrating with our webhooks? Every delivery is signed — see signature verification for how to validate the X-HTMLvault-Signature header.

PGP

If your report contains sensitive details, you may request our PGP key by emailing [email protected] and we will respond with the key before you send the full report.