Responsible Disclosure Policy

Last updated: March 2026

Table of Contents
1. Scope2. Reporting a Vulnerability in Pilum.io3. Our Commitments4. Out of Scope for Bug Bounty5. Third-Party Vulnerabilities Found During Client Audits

1. Scope

This policy applies to vulnerabilities in Pilum.io’s own infrastructure (pilum.io website, API endpoints, scanner tooling). This is NOT the policy for vulnerabilities found IN client audits — those are governed by the engagement Terms of Service.

2. Reporting a Vulnerability in Pilum.io

Email: security@pilum.io

PGP key: Available upon request — contact security@pilum.io before launch.

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any proof-of-concept

3. Our Commitments

  • Acknowledge receipt within 48 hours.
  • Provide status update within 7 days.
  • Not pursue legal action against researchers acting in good faith.
  • Credit researchers in our changelog (if desired) upon fix.

4. Out of Scope for Bug Bounty

  • Social engineering attacks on our team.
  • Physical security.
  • Findings on client infrastructure (these belong to the client).
  • Vulnerabilities in third-party services we use.

5. Third-Party Vulnerabilities Found During Client Audits

When we discover a vulnerability in a third-party service during a client engagement, we report it to the third party per responsible disclosure norms. We note the existence of the vulnerability in the client report as INFORMATIONAL only. We do not test the third-party service beyond what is necessary to characterize the finding.