Status: Paused (Critical Reports Only)
We’re temporarily pausing our public bug bounty while we work through existing reports. During this pause we will only review critical security issues affecting customer data or authentication. Thank you for your help keeping Panoplai safe. (as of Sept 10, 2025)
In Scope (during pause)
- app.panoplai.com (production web app)
- Public API endpoints used by the app
- Authentication & authorization flows
- Data access controls (tenant isolation, PII access)
Use test accounts only. Do not access, modify, or exfiltrate real customer data under any circumstances.
Out of Scope (and will be closed without review during pause)
- Marketing sites & docs
- DoS/DDoS, volumetric or availability testing
- Social engineering or phishing
- Third-party services not owned by Panoplai
- Physical security issues
- Automated brute force / credential stuffing
- Missing security headers without clear exploit
- Clickjacking or CSRF on non-sensitive actions
- UX issues or best-practice recommendations without security impact
Testing Rules (required)
- No disruption of service; respect a soft rate limit of ≤10 req/sec.
- No automated password spraying or MFA tampering.
- No scanning that creates excessive logs, costs, or alerts.
- Use only accounts and data you own; do not access other users’ data.
- Delete any test data or credentials within 24 hours of validation.
Rewards (during pause)
We’re not running a public bounty while paused. We may issue discretionary rewards for validated Critical/Highvulnerabilities that include a working, minimal-impact PoC. Recognition may be offered in lieu of payment at our discretion. Tax forms may be required for payments ≥$600.
Severity reference (examples)
- Critical: RCE, auth bypass, tenant breakout, unrestricted sensitive data access
- High: SSRF with real data access, stored XSS in sensitive contexts, privilege escalation
- Medium/Low: all others (normally considered post-pause)
How to Submit (critical issues only)
Email security@panoplai.com with:
- Affected component & summary
- Step-by-step reproducible instructions
- Impact analysis (what data or control is at risk)
- Minimal PoC (screenshots, short code, or curl)
- Your contact & preferred recognition/payment method (if any)
Submissions that are clearly non-critical or incomplete may be closed without response during the pause.
Response & Remediation Timeline (realistic while paused)
- Initial triage (critical only): up to 10 business days
- Assessment & prioritization: up to 20 business days
- Fix window: 30–90 days depending on severity/complexity
- Retest/verification: as coordinated with reporter
- Reward/recognition (if applicable): within 60–90 days after fix
Duplicates & Publicly Disclosed Issues
- Duplicate reports receive no reward; we’ll link to the canonical report.
- Publicly known issues without a new exploit path are out of scope.
Safe Harbor
If you act in good faith and follow these rules, Panoplai will not pursue legal action and will work with you to resolve issues responsibly.
Contact: security@panoplai.com
