PentStark
Trust · Disclosure

Good-faith research has a clear route in.

Scope, response windows, and safe harbor should be readable before a test begins. This policy is the operating path for reporting vulnerabilities in PentStark properties.

Response path

From report to coordinated resolution.

The clocks below are the response windows researchers can expect from the security contact.

  1. 01

    Send the report

    Email security@pentstark.com. A PGP key is available on request.

  2. 02

    Acknowledgement

    Expect an acknowledgement within 48 hours.

  3. 03

    Triage update

    Expect a triage update within 5 business days.

  4. 04

    Coordinate disclosure

    Give us reasonable remediation time before publication — typically 90 days, coordinated.

Good-faith research

Safe harbor, without ambiguity.

We will not pursue legal action or contact law enforcement over good-faith research that complies with this policy.

  • Do not access or modify data that is not your own.
  • Do not disrupt services or users.
  • Give us reasonable time to remediate before public disclosure — typically 90 days, coordinated.
  • Do not exfiltrate data beyond what is needed to demonstrate impact.
Testing boundary

Check scope before you test.

If ownership is unclear, email the security contact before taking action. Authorization for a PentStark property does not extend to a vendor's service.

Authorized properties

In scope

  • pentstark.com and subdomains
  • app.pentstark.com (customer portal)
  • assets.pentstark.com (public assets)
  • Public PentStark GitHub repositories

Excluded testing

Out of scope

  • Third-party services and infrastructure providers — report issues in the third-party service to that vendor
  • Denial of service, volumetric attacks, brute force
  • Social engineering against our staff or customers
  • Physical security testing
  • Reports that require privileged access you already have
Useful report

Send enough to reproduce—nothing more.

Keep evidence to the minimum needed to demonstrate impact and avoid including data that is not your own.

  • The affected property or repository
  • A clear impact statement
  • Reproduction steps and the smallest evidence needed to demonstrate impact
  • A safe way to contact you for follow-up