Introduction
Squarespace is committed to maintaining a strong security posture. We encourage security professionals to practice responsible disclosure and let us know right away if a vulnerability is discovered. We will investigate all legitimate reports and follow up if more details are required. Prior to reporting a vulnerability, please follow our Responsible Disclosure Guidelines and Submission Criteria outlined below.
Submission Criteria
Server-side Remote Code Execution (RCE)
SQL Injection (SQLi)
Server-Side Request Forgery (SSRF)
Cross-site Scripting (XSS)
XML External Entity Attacks (XXE)
Local File Disclosure (LFD)
Cross-site Request Forgery (CSRF)
Access Control Issues (ACI)
All Squarespace customer websites or other customer content not owned by the researcher.
If you find a request that takes too long to respond, report it to us. Do not DoS the system.
Clickjacking or issues only exploitable through clickjacking.
Vulnerabilities that are already known (e.g. previously discovered by an internal team or another researcher).
Issues that require physical access to a victim’s computer.
Issues that require privileged access to the victim’s network.
Network level Denial of Service.
XSS issues that only affect outdated browsers.
Application level Denial of Service.
Duplicate submissions that are being remediated.
Lack of security-related flags on cookies.
Password complexity guidelines.
Password brute-forcing.
Lack of email validation.
Self-XSS.
Reflected File Download (RFD).
Email or user enumeration.
Non security researcher reporting a potential vulnerability
If you are a Squarespace customer but not a security researcher, please file a support request with any security concerns below.
Award-winning customer support
Think of Squarespace as your very own IT department. Alongside unlimited hosting and enterprise-grade infrastructure, we offer dedicated 24/7 support.
Squarespace is the all‑in‑one platform to build a beautiful website.