Trust · Disclosure
Responsible disclosure policy.
We take security seriously — and we expect to be held to the same standards we hold our customers to.
How to report
Email security@pentstark.com. PGP key available on request. Expect an acknowledgement within 48 hours and a triage update within 5 business days.
In scope
- pentstark.com and subdomains
- app.pentstark.com (customer portal)
- assets.pentstark.com (public assets)
- Public PentStark GitHub repositories
Out of scope
- Third-party services (Clerk, Supabase, Vercel, Cal.com) — please report to the vendor
- Denial of service, volumetric attacks, brute force
- Social engineering against our staff or customers
- Physical security testing
- Reports that require privileged access you already have
Safe harbor
We will not pursue legal action or contact law enforcement over good-faith research that complies with this policy. Specifically:
- Do not access or modify data that is not your own.
- Do not disrupt services or users.
- Give us reasonable time to remediate before public disclosure (typically 90 days, coordinated).
- Do not exfiltrate data beyond what is needed to demonstrate impact.
Recognition
We publish a Hall of Fame for researchers who report valid findings. Monetary bounties are considered case-by-case. We are not yet running a public bug-bounty platform — this policy serves as the interim contract.