Responsible Disclosure Policy

Public-facing version of SECURITY.md. Lives at pentestai.xyz/security.

We take security seriously. If you discover a vulnerability in the pentest-ai CLI, the dashboard, the MCP server, the marketing site, or any other system we operate, we want to hear about it. This policy describes how to report and what you can expect from us in return.

Scope

In scope:

• The pentest-ai CLI (pip install ptai) — Python source in agents/, engine/, cli/, mcp_server/, tools/, playbooks/
• The dashboard at app.pentestai.xyz and any subdomain
• The marketing site at pentestai.xyz
• The MCP server's HTTP and stdio surfaces
• The cloud sync API endpoints (the part of the dashboard the CLI connects to)
• Authentication, authorization, scope-enforcement, and evidence-handling code

Out of scope:

• Third-party tools the engine invokes (nmap, nuclei, sqlmap, etc.). Report those upstream.
• Issues in our subprocessors (Cloudflare, Stripe, Anthropic, OpenAI, AWS/GCP). Report to them.
• Theoretical issues without a working proof of concept.
• Self-XSS, missing best-practice headers without a concrete impact, or cosmetic issues that don't affect security.
• Volumetric denial-of-service, brute-force on login (we rate-limit), or any test that requires more than a single user's worth of traffic.
• Social engineering of our staff or customers.
• Physical attacks against our offices or staff.

Reporting channel

Preferred: open a private GitHub Security Advisory at https://github.com/0xSteph/pentest-ai/security/advisories/new. This gives us a private channel to coordinate without the issue being visible to the public.

Alternative: email [email protected] with subject [SECURITY] short description. PGP key is published at pentestai.xyz/.well-known/security.txt and at the bottom of this page.

What to include

To help us triage quickly:

• The component affected (CLI version + commit, dashboard URL, MCP path)
• A clear description of the issue and its impact
• A minimal proof of concept (commands, requests, or a minimal repro repo)
• Your name or handle if you'd like credit; otherwise we'll keep you anonymous

If your finding involves data of other users or our own infrastructure, stop testing immediately, do not download more than the minimum needed to demonstrate the issue, and contact us before doing anything else.

Our commitments to you

• We acknowledge receipt within 3 business days.
• We perform initial triage within 7 business days.
• We keep you informed of remediation progress at least every 14 days until resolution.
• We coordinate disclosure timing with you. Default window: up to 90 days from initial report; we may ask for extensions for complex fixes and we will explain why.
• We credit you in the release notes and at pentestai.xyz/security/hall-of-fame if you want it. Anonymous reports are also welcome.
• We do not pursue legal action against good-faith researchers who follow this policy and the Acceptable Use Policy.

Safe harbor

If you make a good-faith effort to comply with this policy, we consider your testing authorized and we will not initiate or support any legal action against you. We waive any claim against you under the Computer Fraud and Abuse Act, similar laws in other jurisdictions, and DMCA anti-circumvention provisions, to the extent those laws would otherwise apply to your testing of our systems within this scope.

The safe harbor does not authorize:

• Testing of systems out of scope (Section 1)
• Public disclosure before we have a chance to fix
• Exfiltration of customer data beyond a single demonstration
• Persisting access after the initial finding
• Any action that violates the AUP

Bug bounty

We currently do not run a paid bug bounty program. We may offer swag, recognition, or invitations to private programs at our discretion. We may launch a paid program in the future; this policy will be updated when we do.

Public disclosure

After we publish a fix, you may publicly disclose the issue. We will publish:

• A CVE (if applicable) via our CNA path or GitHub
• Release notes describing the issue at a high level
• Credit to the reporter (if requested)

Contact

• [email protected]
• GitHub Security Advisory: https://github.com/0xSteph/pentest-ai/security/advisories/new
• PGP key fingerprint: [FILL: paste fingerprint of the security@ PGP key here, e.g. ABCD 1234 EF56 7890 ABCD 1234 EF56 7890 ABCD 1234]

[FILL: full PGP public key block, generated with gpg --gen-key for [email protected], exported with gpg --armor --export [email protected]]

Source markdown: github.com/0xSteph/pentest-ai/blob/main/docs/legal/RESPONSIBLE_DISCLOSURE.md