Security

Responsible Disclosure Policy

Last updated: 1 January 2026  ·  We appreciate the security research community.

We believe responsible security research makes the internet safer. If you discover a vulnerability in our infrastructure, please tell us privately before disclosing it publicly. We commit to working with you in good faith and will not take legal action against researchers who act responsibly.

1. Introduction

PentesterHub takes the security of our own infrastructure seriously. Despite our best efforts as a security-focused company, vulnerabilities may exist. We welcome responsible security researchers who identify and report issues in a responsible manner.

This policy outlines how to report vulnerabilities, what you can expect from us, and the protections we extend to researchers who act in good faith.

2. Scope

This policy applies to vulnerabilities found in PentesterHub-owned infrastructure:

✓ In Scope

  • pentesterhub.com and all subdomains
  • Our web application and contact form
  • Authentication mechanisms (if any)
  • Infrastructure directly operated by PentesterHub

✗ Out of Scope

  • Third-party services (FormSubmit, GitHub Pages, Google Fonts)
  • Social media accounts (LinkedIn)
  • Our clients' systems and infrastructure
  • Physical security of our premises
  • Social engineering attacks against our staff

Vulnerabilities found in third-party services we use should be reported directly to those vendors through their respective disclosure programmes.

3. How to Report

Please send your vulnerability report to us via email. Include as much detail as possible to help us reproduce and verify the issue quickly.

Reporting Contact

[email protected]

Use subject line: [Security Disclosure] — Brief description

What to include in your report

  • A clear description of the vulnerability type (e.g. XSS, IDOR, SSRF)
  • The URL, endpoint, or component affected
  • Step-by-step reproduction instructions
  • Proof-of-concept code, screenshots, or video (if available)
  • Your assessment of the potential impact
  • Your name or alias (for acknowledgement purposes, optional)

The more detail you provide, the faster we can triage and address the issue.

4. Response Timeline

We commit to the following response timeline for valid vulnerability reports:

1

Acknowledgement — within 48 hours

We will confirm receipt of your report and provide an initial reference number.

2

Triage — within 5 business days

We will assess the validity and severity of the reported vulnerability and keep you informed of our findings.

3

Remediation — within 30 days (critical: 7 days)

We aim to remediate confirmed vulnerabilities promptly. Complex issues may take longer; we will communicate timelines clearly.

4

Disclosure coordination — mutually agreed

We are open to coordinated public disclosure after the vulnerability has been remediated. We will work with you on timing.

5. Safe Harbour

PentesterHub extends safe harbour to security researchers who:

  • Report vulnerabilities in good faith, without intent to cause harm
  • Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability
  • Do not disrupt the availability of our services
  • Do not conduct automated scanning at a scale that impacts service availability
  • Report the vulnerability to us before disclosing publicly
  • Give us reasonable time to remediate before disclosure

If you act in good faith and in accordance with these guidelines, we will not pursue civil or criminal action against you, and we will not refer your activities to law enforcement. We consider responsible security research to be a valuable contribution to the security community.

6. Our Commitments to Researchers

  • We will respond to all valid reports within 48 hours
  • We will keep you informed of our remediation progress
  • We will not take legal action against researchers who act in good faith
  • We will acknowledge your contribution (with your permission) upon remediation
  • We will work with you on coordinated disclosure timing
  • We will notify you when the vulnerability has been fixed so you can verify

7. Researcher Guidelines

To ensure your research stays within safe and legal boundaries, please follow these guidelines:

  • Only test against systems explicitly listed as in-scope
  • Do not access, download, modify, or delete any user or company data
  • Do not perform denial-of-service attacks or resource exhaustion testing
  • Do not use automated scanners at high request rates that may impact availability
  • Do not conduct social engineering, phishing, or physical intrusion attempts
  • Do not exploit a vulnerability beyond what is necessary to demonstrate its existence
  • Stop testing immediately if you encounter any personal or sensitive data

8. Out-of-Scope Behaviour

The following will not be considered valid disclosures and are explicitly excluded from safe harbour protections:

  • Attacks involving physical access to our infrastructure
  • Social engineering or phishing of PentesterHub staff
  • Automated vulnerability scanning without prior notification
  • Reports of missing security headers without demonstrable impact
  • Self-XSS vulnerabilities requiring the victim to run their own code
  • Reports about software versions without demonstrated exploitability
  • Theoretical vulnerabilities without proof of concept
  • Any vulnerability in third-party services outside our control

9. Recognition

While we do not currently operate a paid bug bounty programme, we deeply value the work of the security research community. Valid, responsibly reported vulnerabilities will be acknowledged in a Hall of Thanks (upon your consent) on our website once the issue has been remediated.

We are open to discussing formal bug bounty arrangements for researchers who identify high-severity vulnerabilities. Please reach out to discuss.

10. Contact

To report a vulnerability or to ask questions about this policy:

We thank the security research community for helping keep the internet safer.