🛡Free public scan: paste any URL — get every risk in 2 minutes. · No credit card. No setup.Run Free Scan →
𓆗PYTHORIX
LoginRun Free Scan
LEGAL · RESPONSIBLE DISCLOSURE

Responsible Disclosure Policy

For security researchers reporting issues in the Pythorix platform.

Pythorix is built by people who deeply respect the security research community. If you've found a vulnerability in our platform — or in a customer's asset that we host — we want to hear from you, and we'll treat you well.

Safe Harbor

We will not pursue or support legal action against good-faith researchers who:

  • Disclose responsibly, give us reasonable time to fix, and don't exploit the issue beyond proof-of-concept.
  • Don't access, modify, or exfiltrate customer data beyond what's necessary to demonstrate the issue.
  • Don't perform DoS / DDoS, social engineering, or physical attacks on Pythorix or its employees.
  • Don't scan customer assets without their separate authorisation.

If you act in good faith and we believe your activity was authorised under this policy, we will not pursue civil or criminal action.

In Scope

  • The Pythorix platform: app.pythorix.local, the API, the marketing site.
  • Authentication flow vulnerabilities (signup, OTP, OAuth, sessions).
  • Authorisation flaws (cross-tenant data access, RBAC bypass).
  • Injection, SSRF, RCE in the Pythorix backend.
  • Sensitive data exposure through our APIs.
  • Bypasses of our scan-authorisation gates.

Out of Scope

  • Findings on customer-owned assets that Pythorix has scanned (report to the asset owner).
  • Self-XSS, CSRF on logout, missing security headers without exploit, theoretical issues.
  • Social engineering against Pythorix employees.
  • Physical attacks on Pythorix offices or infrastructure.
  • DoS / DDoS / volumetric attacks.
  • Issues in third-party services (Postgres, Redis, Stripe, Google) unless caused by our integration.

How to Report

Send a message via Contact with subject prefix SECURITY: and include:

  • Clear vulnerability description with severity assessment.
  • Step-by-step reproduction (text, screenshots, video — your choice).
  • Proof-of-concept code or HTTP requests if applicable.
  • Whether the issue is publicly known.
  • Your preferred attribution (handle / org / anonymous).

What to Expect

  • Acknowledgement: within 2 business days.
  • Initial assessment: within 5 business days.
  • Status updates: at minimum every 14 days until resolved.
  • Fix timelines: Critical <= 7 days, High <= 30 days, Medium <= 90 days. Communicated when assessed.
  • Public credit: in our security hall-of-fame (subject to your preference).

Disclosure

We follow coordinated disclosure: we aim to publish details only after a fix is deployed and customers have had time to update. Please don't disclose publicly before we've had a reasonable chance to fix.

Bounties

Pythorix does not currently run a paid bug-bounty program. We may offer recognition, swag, or platform credits for significant findings — at our discretion.

Hall of Fame

Researchers who've helped harden Pythorix and consented to attribution will be listed here.

🛡Run Free Scan