Vulnerability Disclosure

Penteor Technology Limited is committed to maintaining the security and resilience of its platforms and services. We welcome responsible vulnerability reports from security researchers, independent testers, customers, and partners who discover potential weaknesses in our publicly accessible systems. This program sets out what may be reported, the process for doing so, the protections afforded to good-faith researchers, our corresponding obligations, and the conditions under which we offer rewards. This policy is aligned with the coordinated vulnerability disclosure framework under Article 12 of the NIS2 Directive (EU) 2022/2555 and relevant ENISA guidance.

In-scope systems shall include our publicly accessible web portal and customer-facing application interfaces, published API endpoints and authentication mechanisms, externally accessible infrastructure within Penteor-owned domains, and email security controls (SPF, DKIM, DMARC). Vulnerabilities falling within the OWASP Top 10 categories affecting confidentiality, integrity, or availability are of primary interest. The following are explicitly excluded: physical premises, internal-only systems, DoS/DDoS attacks, brute-force attacks, social engineering of employees, third-party SaaS platforms outside our control, findings based solely on automated scanning tools without validated proof-of-concept, and vulnerabilities in end-of-life software not maintained by Penteor.

By participating in this program, you agree to the following: testing in good faith only — limit any exploitation to what is needed to demonstrate impact; no disruptive testing and no degradation of services; no social engineering of Penteor employees; a minimal footprint — access only the minimum data necessary; a safe proof-of-concept using benign payloads, and never using live production data; immediate cessation of testing if personal data is inadvertently encountered, with prompt notification to us; no premature disclosure of vulnerabilities — do not publish details until we confirm a fix is deployed or authorize disclosure.

Researchers who fully comply with the terms of this program — including scope, rules of engagement, and reporting process — shall not be subject to legal action, claims for damages, or referral to law enforcement authorities from Penteor. This safe harbor applies solely where the researcher acts in good faith for improving security. It does not cover intentional damage, data exfiltration beyond what is strictly necessary for proof-of-concept, extortion, exploitation beyond what is necessary to document a vulnerability, or disclosure to third parties before agreed remediation. This safe harbor is aligned with protections recommended under EU cybersecurity frameworks, including ENISA's CVD Good Practice Guide and NIS2 Article 12.

All vulnerability reports shall be submitted via our Contact page, and clearly marked as security vulnerability reports. Each report shall include: the affected asset (specific service, endpoint, or domain); vulnerability class (e.g. SQL injection, broken access control, SSRF); clear reproduction steps with tools and configurations used; evidence (screenshots, HTTP captures) with personal data redacted; your impact assessment (confidentiality, integrity, availability); and your contact details (optional, but recommended). Reports shall be submitted in English and we treat all submissions as confidential.

Acknowledgement will be provided within three (3) business days of receipt. An initial triage and severity assessment within seven (7) business days. A progress update will be provided within ten (10) business days, or sooner if resolved. A remediation timeline will be communicated upon confirmation of a valid finding. Coordinated disclosure timeline agreed with you following remediation. If our investigation triggers GDPR Article 33 (data breach notification) or NIS2 Article 23 (significant incident notification) obligations, we shall act independently of the timelines set out in this program.

Information shared by you during the reporting process — including contact details, report content, and proof-of-concept materials — shall be processed in accordance with our Privacy Policy. Your personal data shall be used solely for investigating and remediating the reported vulnerability. Any personal data you accessed incidentally during testing shall be deleted upon our request. We will not retain report data longer than necessary for remediation and regulatory compliance. You may exercise your rights as a data subject (access, erasure, restriction) via our Contact page.

Penteor may offer impact-based rewards for valid, original security findings — either financial compensation or Swag Packs, at its sole discretion. Eligibility shall require: a working, reproducible proof-of-concept; an original vulnerability not previously known to us or publicly disclosed; full compliance with rules of engagement and scope. Duplicate reports shall be eligible on a first-received basis. Reward amounts are determined by confirmed severity, report quality, exploitability, and researcher cooperation. We reserve the right to refuse or decline rewards for negligible-impact findings or non-compliance with program terms.

With your permission, Penteor may recognize researchers whose reports lead to confirmed, remediated findings in our public security acknowledgement list. Please indicate in your submission whether you consent to being named.

This program shall be reviewed at least annually and and updated in response to changes in Penteor's product landscape, applicable laws and regulations (including NIS2 transpositions across EEA member states), and CVD best practice guidance from ENISA. Material changes will be reflected in the "Last updated" date. For all enquiries relating to this program, all enquiries shall be submitted via our Contact page.