Security Policy

We recognize the value that external security researchers can bring to the security of Pentalog systems, and we welcome contributions from security researchers, as outlined below.

If you believe that you have found a security vulnerability on any of our websites, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting, though, please review this page, including our responsible disclosure policy.

Reporting your vulnerability

Notification must take place via email to security@pentalog.com. Don’t submit vulnerabilities through social networks where Pentalog has a presence.

We expect researchers to keep the details of the vulnerability private until a fix is released.

Responsible disclosure policy

A security vulnerability refers to a flaw or weakness in a product or system that could compromise the availability or security of that product or system if exposed to attackers.

In researching security vulnerabilities on any of our websites, please take into account the following:

  • We don’t permit any security testing that attempts to degrade, interrupt, or deny service (DoS) to our members.
  • Vulnerability research doesn’t extend to accessing or modifying member data that doesn’t belong to the researcher. All testing should be conducted against accounts that are under a researcher’s control.

Out of scope

  • Spam or social engineering techniques (phishing)
  • Denial-of-service attacks