Security disclosure
We welcome reports from security researchers acting in good faith. This page tells you what is in scope, how to report a finding, and what you can expect from us in return.
We acknowledge reports within 5 business days and aim to triage within 10 business days.
What you may test
Testing is permitted only against the explicitly listed test hosts. Anything else is out of scope and treated as unauthorized access.
In scope
- •test.nnsflow.com
- •test.thepentalab.com
Out of scope
- •thepentalab.com
- •www.thepentalab.com
- •nnsflow.com
- •www.nnsflow.com
- •docs.nnsflow.com
- •Any production tenant or customer-hosted on-premise installation
- •Any infrastructure not explicitly listed in scope
What is allowed and what is not
Allowed
- ✓Passive fingerprinting (banner-grabbing, version detection, robots.txt review)
- ✓Reading public pages and following links as a normal user would
- ✓Automated vulnerability scanning and fuzzing at a sensible rate (suggested ceiling: 10 requests per second, sustained, per host)
- ✓Submitting one well-formed, non-destructive proof-of-concept request per finding
- ✓Reporting via email with a clear, reproducible writeup
Not allowed
- ✗Sustained traffic above ~10 requests per second, or any pattern that meaningfully degrades availability for other users
- ✗Denial-of-service testing, resource exhaustion, or stress testing of any kind
- ✗Brute-forcing credentials, tokens, session IDs, API keys, or any other secrets
- ✗Triggering rate-limiting, account-lockout, or WAF-throttling mechanisms (this disrupts real users and our own staff)
- ✗Social engineering of staff, customers, or suppliers
- ✗Physical attacks against PentaLab offices or staff
- ✗Accessing, modifying, deleting, or exfiltrating data belonging to PentaLab, its staff, customers, or any third party
- ✗Executing arbitrary code on our systems beyond the minimum proof needed to demonstrate the vulnerability
- ✗Pivoting to other internal systems after gaining initial access
- ✗Public disclosure of a vulnerability before we have had a reasonable time to remediate (see Disclosure Timeline above)
What to include in your report
The clearer your report, the faster we can verify and fix the issue.
- 1Affected host and URL (must be in scope above)
- 2Vulnerability type and a short description
- 3Step-by-step reproduction (one PoC per report)
- 4Impact in plain language: what an attacker could realistically do
- 5Your contact details and how you would like to be credited (if at all)
What you can expect from us
Acknowledgment
We confirm receipt within 5 business days.
Triage
Initial assessment within 10 business days, including whether the report is in scope and reproducible.
Remediation
We aim to ship a fix within 90 days of verified, in-scope reports. Critical issues are prioritized.
Credit
If you wish, we will credit you publicly on this page after the fix is deployed. You may also remain anonymous.
We do not currently pay monetary bounties
We are a small team and do not operate a paid bug bounty program. Valid, in-scope reports are acknowledged in writing and, if you wish, publicly credited on this page. Please report only because you want to help us improve our security, not in expectation of payment. Reports that demand payment as a condition of disclosure may be treated as extortion.
Good-faith research is welcome
If you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you for your research activities. We consider research conducted under this policy to be:
- Authorized in view of any applicable anti-hacking laws.
- Exempt from restrictions in our Terms of Service that would interfere with conducting security research, only for the in-scope hosts listed above.
- Lawful and helpful to the overall security of the internet.
This authorization applies only to testing the in-scope hosts and only to research that follows the rules above. Testing of any host or system not explicitly listed in scope is not authorized and may be unlawful under Swiss criminal law (notably Art. 143 and 143bis StGB) and equivalent laws in other jurisdictions. If you are unsure whether your activity is covered, ask us first at security@nnsflow.com before testing.
Found something?
Send your reproducible writeup to security@nnsflow.com. We read every report.
Email the security team