What we test
Mara only scans targets where the customer has demonstrated control via DNS TXT or .well-known/mara-auth.txt verification. Out-of-scope requests are dropped at the egress proxy.
Reporting a vulnerability in Mara itself
Email security@mara.ai with detailed reproduction steps. Our PGP key is at /.well-known/security.txt. We acknowledge within 24 hours; we ship fixes within 30 days for critical issues.
Safe harbor
We will not pursue civil or criminal action against researchers who comply with this policy. Test only against accounts you own; avoid privacy violations, service degradation, and data exfiltration beyond what is required to demonstrate impact.