Permafrost
Vulnerability disclosure

Report a security issue

Permafrost is a security product. We welcome good-faith research and treat every credible report seriously. This policy explains what is in scope, how to reach us, what to expect, and the protections we extend to researchers acting in good faith.

How to report

Email security@permafrostepm.com with enough detail for us to reproduce the issue: the affected URL or component, the steps, the impact, and any proof-of-concept. Please send one issue per report. The machine-readable contact is published at /.well-known/security.txt.

In scope

The Permafrost EPM production application and marketing site:

  • The signed-in application and its API
  • The public marketing and documentation site
  • Authentication, authorization, tenant-isolation, and access-control flaws
  • Issues that could expose one customer’s data to another, or expose data we hold

Out of scope

The following are generally out of scope. We may still want to hear about them, but they are unlikely to be treated as reportable vulnerabilities on their own:

  • Findings against infrastructure operated by our hosting or sub-processors rather than Permafrost itself
  • Volumetric denial-of-service, brute-force, or rate-limit testing
  • Reports from automated scanners without a demonstrated, exploitable impact
  • Missing security headers, cookie flags, or TLS configuration without a concrete exploit
  • Social engineering of our staff, customers, or vendors
  • Spam, content, or self-XSS that cannot affect another user

What to expect

We aim to acknowledge a report within a few business days, give you a triage assessment, and keep you updated as we work toward a fix. We will let you know when the issue is resolved and are glad to credit you if you would like the recognition.

Permafrost runs coordinated disclosure. This is not a paid bug-bounty program; we do not currently offer monetary rewards.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your testing authorized, will not pursue or support legal action against you for it, and will work with you to understand and resolve the issue. Good faith means: stay within the scope above, do not access, modify, or delete data that is not yours, do not degrade the service for others, give us reasonable time to remediate before any public disclosure, and never exfiltrate customer data.

If legal action is initiated by a third party against you for activity that complied with this policy, we will make this authorization known.

Thank you for helping keep Permafrost and its customers secure.