Our Portal

Vulnerability Disclosure Policy

Last Updated: 10th April 2026

1. Introduction

Pentesys Ltd (“Pentesys”, “we”, “us”, “our”) is committed to maintaining the security of our systems, platform, and services. We recognise the value of the security community in helping to identify vulnerabilities.

This Vulnerability Disclosure Policy (“VDP”) outlines how security researchers can responsibly report vulnerabilities and how Pentesys will respond.

2. Scope

This policy applies to vulnerabilities identified in systems and services owned and operated by Pentesys, including:

  • https://pentesys.com
  • Public-facing web applications and APIs operated by Pentesys
  • The Mirage platform and associated services

This policy does not apply to third-party systems, services, or client environments unless explicitly stated.

3. Authorised Testing

Security research conducted under this policy must:

  • Be performed in good faith
  • Avoid privacy violations, data destruction, or service disruption
  • Not involve social engineering, phishing, or physical attacks
  • Not exploit vulnerabilities beyond what is necessary to demonstrate their existence
  • Not access, modify, or exfiltrate data unnecessarily

Testing must not impact system availability or integrity.

4. Prohibited Activities

The following activities are strictly prohibited:

  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) testing
  • Automated scanning that degrades service performance
  • Attempts to access or modify other users’ data
  • Use of brute force or credential stuffing attacks
  • Any activity that could cause harm to systems, users, or data

5. Reporting a Vulnerability

If you identify a potential vulnerability, please report it to:

Email: security@pentesys.com

Reports should include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Proof of concept (where appropriate)
  • Affected systems or endpoints
  • Your contact details

We encourage responsible disclosure and request that vulnerabilities are not publicly disclosed until we have had a reasonable opportunity to investigate and remediate.

6. Safe Harbour

Pentesys will not pursue legal action against individuals who:

  • Act in good faith
  • Follow this policy
  • Do not exploit vulnerabilities beyond necessary validation
  • Report vulnerabilities responsibly and promptly

This safe harbour applies only to activities conducted within the scope of this policy.

7. Our Commitment

Upon receiving a valid vulnerability report, Pentesys will:

  • Acknowledge receipt within a reasonable timeframe
  • Investigate and validate the issue
  • Take appropriate remediation actions
  • Keep the reporter informed of progress where appropriate

We aim to resolve vulnerabilities in a timely and risk-based manner.

8. Disclosure and Recognition

Pentesys may, at its discretion:

  • Acknowledge researchers who responsibly disclose vulnerabilities
  • Offer recognition where appropriate

We do not currently operate a public bug bounty programme unless explicitly stated.

9. Confidentiality

All vulnerability reports will be treated as confidential.

Researchers must not disclose vulnerabilities publicly or to third parties without prior written consent from Pentesys.

10. Legal Considerations

This policy does not grant permission to:

  • Access systems or data beyond what is necessary for testing
  • Violate applicable laws or regulations
  • Test systems outside of scope

Any activities outside this policy may be considered unauthorised.

11. Changes to This Policy

Pentesys may update this Vulnerability Disclosure Policy at any time. Updates will be published on this page.

12. Contact

Pentesys Ltd
Website: https://pentesys.com
Email: enquiries@pentesys.com