Vulnerability Disclosure Policy

Guidelines for responsible disclosure of security vulnerabilities

Our Commitment

At PentestList, we take security seriously. We value the security community and believe that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

If you believe you have found a security vulnerability in PentestList, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

How to Report

Please report security vulnerabilities by emailing: hello@pentestlist.com

Include the following information in your report:

  1. Type of vulnerability
  2. Step-by-step instructions to reproduce the issue
  3. Impact of the vulnerability, including how an attacker might exploit it

Our Response Process

  • We will acknowledge receipt of your vulnerability report within 48 hours
  • We will provide an estimated timeframe for addressing the vulnerability
  • We will notify you when the vulnerability is fixed
  • We will publicly acknowledge your responsible disclosure, if you wish

Safe Harbor

When working with us according to this policy, we consider your security research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)
  • Authorized in accordance with any applicable anti-hacking laws
  • Exempt from restrictions in our Terms of Service that would interfere with security research
  • Lawful and helpful to the overall security of the Internet

Guidelines

We ask that you:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data
  • Only use exploits to the extent necessary to confirm a vulnerability
  • Do not use an exploit to compromise or exfiltrate data, establish persistent access, or pivot to other systems
  • Provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or a third party
  • Do not interact with other users' accounts or data without their explicit permission

Out of Scope

The following are generally considered out of scope:

  1. Clickjacking
  2. Attacks requiring physical access to a user's device
  3. Social engineering attacks
  4. Denial of service attacks
  5. Issues in third-party services or applications
  6. TLS or HTTP header related issues
  7. Rate limiting issues

This policy was last updated on 10/9/2025