Security

Responsible Disclosure Policy

Pentevo is a security company. We take vulnerabilities in our own platform seriously and are committed to working with the security community to address issues responsibly.

Safe Harbor

We will not pursue legal action against security researchers who:

Report vulnerabilities through the process described in this policy.
Act in good faith and do not intentionally harm Pentevo or our customers.
Do not access, exfiltrate, or destroy customer data beyond what is necessary to demonstrate the vulnerability.
Do not perform denial-of-service attacks or degrade platform availability.
Do not disclose the vulnerability publicly before we have had a reasonable opportunity to fix it.

If you follow these guidelines, we consider your research authorized and will work with you in good faith to resolve the issue promptly.

Scope — In Scope

The following systems are in scope for this program:

pentevo.com — main website and marketing pages
app.pentevo.com — web application and dashboard
api.pentevo.com — REST API and WebSocket endpoints
Authentication and session management across all services
Access control and tenant isolation between customer accounts

Out of Scope

The following are not in scope and should not be tested:

Third-party services and subprocessors (AWS, Stripe, Anthropic, etc.)
Volumetric denial-of-service attacks or rate limit abuse
Social engineering of Pentevo employees or customers
Physical security of our offices or infrastructure
Automated vulnerability scanner output without manual verification
Missing security headers without a demonstrated exploitable impact
SPF/DKIM/DMARC issues without demonstrated phishing capability
Clickjacking on pages without sensitive actions

What We Want to Hear About

High-value reports demonstrate real, exploitable impact. We are particularly interested in:

Authentication bypass or account takeover
Cross-tenant data access (IDOR, broken access control)
Remote code execution on platform infrastructure
SQL injection with data extraction evidence
Server-Side Request Forgery (SSRF) with internal network access
Significant information disclosure (credentials, customer data, PII)
Privilege escalation within the platform
Scan scope bypass — triggering scans on targets outside the defined scope

Reporting Instructions

Send vulnerability reports to: security@pentevo.com

Please include in your report:

A clear description of the vulnerability and its impact
Step-by-step reproduction instructions
Proof-of-concept code, screenshots, or request/response pairs
The affected URL(s), endpoint(s), or component(s)
Your assessment of severity (Critical / High / Medium / Low)

For sensitive reports, you may encrypt your email using our PGP key. Request it at security@pentevo.com.

Response Timeline

Initial acknowledgementWithin 24 hours

Severity assessment and triageWithin 3 business days

Resolution timeline providedWithin 5 business days

Fix deployed (Critical/High)Within 14 days

Fix deployed (Medium/Low)Within 45 days

Public disclosure (if desired)After fix is deployed

We do not currently offer financial bounties but will acknowledge researchers in our security advisories and Hall of Fame (with permission).