# security.txt for Pentestly.io
# Standard: https://securitytxt.org/

Contact: mailto:hello@pentestly.io
Preferred-Languages: en
Canonical: https://pentestly.io/.well-known/security.txt

# Disclosure Policy
We welcome reports of security issues that could impact the confidentiality, integrity, or availability of Pentestly.io or our customers. 
Please provide as much detail as possible (affected endpoints, proof-of-concept, reproduction steps).

# Out of Scope
The following are considered out of scope and will not be eligible for acknowledgement:
- Automated scanner or generic tool reports without proof of exploitability
- Generic DNS Issues (SPF/DMARC) etc
- Denial of Service (DoS), brute force, or spam-related issues
- Best practice recommendations without a clear security impact
- Clickjacking on non-sensitive endpoints
- Rate limiting or CAPTCHA bypass without demonstrated impact
- Issues requiring physical access to user devices or accounts
- Attacks against third-party services, infrastructure, or vendors not under Pentestly.io’s control

# Safe Harbour
We ask that researchers:
- Act in good faith and avoid privacy violations, data destruction, or service disruption.
- Allow us reasonable time to investigate and remediate before public disclosure.
- Comply with all applicable laws.

We are committed to working with the security community and will make every effort to acknowledge valid reports in a timely manner.