At Panoplai, security is core to our mission. We welcome responsible disclosure of vulnerabilities by security researchers and appreciate your help in keeping our platform safe.
In Scope:
app.panoplai.com (main application)
API endpoints used by the main application
Authentication and authorization systems
Data handling and storage mechanisms
Out of Scope:
Public marketing sites and documentation
Denial of Service (DoS/DDoS) attacks
Social engineering or phishing attacks
Third-party services not directly integrated
Physical access vulnerabilities
Issues in outdated browsers or modified devices
Missing security headers without demonstrable impact
Clickjacking on non-sensitive pages
CSRF on non-sensitive actions
Rewards
Severity Levels:
Critical ($300 – $500): RCE, SQL injection, authentication bypass, privilege escalation
High ($150 – $300): XSS in sensitive contexts, SSRF, sensitive data exposure
Medium ($50 – $150): XSS in non-sensitive contexts, CSRF on sensitive actions, business logic flaws
Low (Swag/Recognition): Minor information disclosure, non-exploitable security issues
Rewards are paid via PayPal or bank transfer. Tax documentation may be required for rewards over $600.
GuidelinesTo Qualify:
Don't disrupt services or access other users' data
Provide clear, reproducible proof-of-concept
Allow 30-90 days for remediation
Keep findings confidential until resolved
We Won't Consider:
Duplicate reports
Issues without sufficient detail
Publicly disclosed vulnerabilities
How to Submit
Email security@panoplai.com with:
Vulnerability summary and affected component
Step-by-step reproduction instructions
Impact assessment and potential business impact
Proof of concept (screenshots, code snippets)
Your preferred reward method
Response Timeline
Initial response: 10 business days
Assessment: 20 business days
Resolution: 30-90 days
Reward payment: 60-90 days after fix
Safe Harbor
If you follow these guidelines and act in good faith, we commit to not pursue legal action and to work with you transparently throughout the process.
Contact: security@panoplai.com
Thank you for helping keep Panoplai secure!
