Security

Vulnerability disclosure

Last updated .

We build a security product. If you find a vulnerability in PennScan, we want to know about it — and we’ll treat your report the way we’d want ours treated.

How to report

Email security@pennscan.com. For anything sensitive, encrypt with our PGP key (fingerprint below). Please include:

  • A clear description of the issue and its impact.
  • Steps to reproduce, including any accounts, endpoints, or payloads needed.
  • Your disclosure timeline preference (if any).

Do notopen a public GitHub issue for a vulnerability. We’ll credit you in the advisory (unless you ask to remain anonymous).

PGP

PGP key pending — published to /.well-known/security.txt at launch.

Our commitments

  • Acknowledge within 1 business daythat we’ve seen your report.
  • Triage within 3 business days— confirm the issue (or explain why we think it isn’t one).
  • Ship a fix on severity-appropriate timelines — within 14 days for CRITICAL, 30 for HIGH, 90 for MEDIUM.
  • Coordinate disclosure.We’ll publish an advisory on /changelog once the fix is out, crediting you if you want credit.

Scope

In scope:

  • pennscan.com, api.pennscan.com, reports.pennscan.com.
  • The gitdhillonai/pennscan engine (tagged releases).
  • Supply-chain issues in the published docker images and GitHub Action.

Out of scope:

  • Findings that require prior compromise of a user’s workstation or account.
  • Rate-limit / brute-force claims on endpoints that already enforce rate limiting (report the rate-limit bypass itself; that is in scope).
  • Best-practice nits with no demonstrable impact (missing cache headers, version-banner leaks, etc.).
  • Third-party properties we don’t operate (Vercel, Supabase, Stripe).

Safe harbor

If you follow this policy in good faith, we will not pursue legal action against you, will not ask law enforcement to do so, and will consider your research to be authorized under the Computer Fraud and Abuse Act and analogous state and international laws. “Good faith” means: you didn’t compromise real user data, you didn’t disrupt the service, you stopped probing once you confirmed the issue, and you gave us a reasonable chance to respond before going public.

Bug bounty

We don’t currently pay bounties — we’re early, and we’d rather spend that money actually shipping fixes. When we do launch a paid program, this page is where it’ll be announced. In the meantime we send researcher swag and, for high-impact findings, a public thank-you in the changelog.

Thank you for making PennScan safer. We mean it.