Vulnerability Disclosure Policy

Security disclosure

We welcome reports from security researchers acting in good faith. This page tells you what is in scope, how to report a finding, and what you can expect from us in return.

Report a vulnerability

Email a clear, reproducible writeup to:

security@nnsflow.com

We acknowledge reports within 5 business days and aim to triage within 10 business days.

Scope

What you may test

Testing is permitted only against the explicitly listed test hosts. Anything else is out of scope and treated as unauthorized access.

In scope

  • test.nnsflow.com
  • test.thepentalab.com

Out of scope

  • thepentalab.com
  • www.thepentalab.com
  • nnsflow.com
  • www.nnsflow.com
  • docs.nnsflow.com
  • Any production tenant or customer-hosted on-premise installation
  • Any infrastructure not explicitly listed in scope
Rules

What is allowed and what is not

Allowed

  • Passive fingerprinting (banner-grabbing, version detection, robots.txt review)
  • Reading public pages and following links as a normal user would
  • Automated vulnerability scanning and fuzzing at a sensible rate (suggested ceiling: 10 requests per second, sustained, per host)
  • Submitting one well-formed, non-destructive proof-of-concept request per finding
  • Reporting via email with a clear, reproducible writeup

Not allowed

  • Sustained traffic above ~10 requests per second, or any pattern that meaningfully degrades availability for other users
  • Denial-of-service testing, resource exhaustion, or stress testing of any kind
  • Brute-forcing credentials, tokens, session IDs, API keys, or any other secrets
  • Triggering rate-limiting, account-lockout, or WAF-throttling mechanisms (this disrupts real users and our own staff)
  • Social engineering of staff, customers, or suppliers
  • Physical attacks against PentaLab offices or staff
  • Accessing, modifying, deleting, or exfiltrating data belonging to PentaLab, its staff, customers, or any third party
  • Executing arbitrary code on our systems beyond the minimum proof needed to demonstrate the vulnerability
  • Pivoting to other internal systems after gaining initial access
  • Public disclosure of a vulnerability before we have had a reasonable time to remediate (see Disclosure Timeline above)

What to include in your report

The clearer your report, the faster we can verify and fix the issue.

  1. 1Affected host and URL (must be in scope above)
  2. 2Vulnerability type and a short description
  3. 3Step-by-step reproduction (one PoC per report)
  4. 4Impact in plain language: what an attacker could realistically do
  5. 5Your contact details and how you would like to be credited (if at all)

What you can expect from us

Acknowledgment

We confirm receipt within 5 business days.

Triage

Initial assessment within 10 business days, including whether the report is in scope and reproducible.

Remediation

We aim to ship a fix within 90 days of verified, in-scope reports. Critical issues are prioritized.

Credit

If you wish, we will credit you publicly on this page after the fix is deployed. You may also remain anonymous.

We do not currently pay monetary bounties

We are a small team and do not operate a paid bug bounty program. Valid, in-scope reports are acknowledged in writing and, if you wish, publicly credited on this page. Please report only because you want to help us improve our security, not in expectation of payment. Reports that demand payment as a condition of disclosure may be treated as extortion.

Safe harbor

Good-faith research is welcome

If you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you for your research activities. We consider research conducted under this policy to be:

  • Authorized in view of any applicable anti-hacking laws.
  • Exempt from restrictions in our Terms of Service that would interfere with conducting security research, only for the in-scope hosts listed above.
  • Lawful and helpful to the overall security of the internet.

This authorization applies only to testing the in-scope hosts and only to research that follows the rules above. Testing of any host or system not explicitly listed in scope is not authorized and may be unlawful under Swiss criminal law (notably Art. 143 and 143bis StGB) and equivalent laws in other jurisdictions. If you are unsure whether your activity is covered, ask us first at security@nnsflow.com before testing.

Hall of fame

Thanks to these researchers

We publicly credit researchers who have responsibly disclosed valid, in-scope vulnerabilities. Listed with permission.

Bhagirath Saxena

Reported exposure to CVE-2025-55182 (React Server Components RCE) on test.thepentalab.com.

2026-05-18

Found something?

Send your reproducible writeup to security@nnsflow.com. We read every report.

Email the security team