Security

Responsible Disclosure

Found a security issue in PenScan? We want to hear from you. We're committed to working with researchers to fix issues quickly and responsibly.

Report a vulnerability

Email your findings to our security team. We respond within 24 hours.

security@penscan.org

Our commitment to you

We will acknowledge your report within 24 hours.
We will keep you informed of our progress throughout the investigation.
We will work to fix confirmed vulnerabilities within 30 days (critical issues within 7 days).
We will not pursue legal action against researchers who act in good faith under this policy.
We will credit you in our acknowledgements (unless you prefer to remain anonymous).

In scope

The following systems are in scope for responsible disclosure:

penscan.org
platform.penscan.org
*.penscan.org (all subdomains)

Out of scope

The following are out of scope and should not be tested:

  • Denial of service (DoS/DDoS) attacks
  • Social engineering of PenScan employees
  • Physical attacks against our infrastructure
  • Vulnerabilities in third-party services we use (report those to the vendor)
  • Automated scanning of our own infrastructure with third-party tools
  • Issues that require physical access to a user's device

What to include in your report

Clear, reproducible reports help us fix issues faster. Please include:

  • A description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions
  • Screenshots or a proof-of-concept (PoC) if applicable
  • The URL or endpoint affected
  • Your assessment of the severity (CVSS score if possible)

Good faith guidelines

To qualify for good-faith protection under this policy, you must:

  • Report the issue to us before disclosing it publicly.
  • Avoid accessing, modifying, or deleting data belonging to other users.
  • Not exploit the vulnerability beyond what is needed to demonstrate it.
  • Not use the vulnerability to scan or attack users of our platform.
  • Give us reasonable time to investigate and fix before public disclosure.

We do not currently offer monetary bug bounties, but we deeply appreciate the security research community and will acknowledge responsible reports in our credits. Contact: security@penscan.org