Responsible Disclosure
We welcome reports from security researchers. This page documents how to reach us and what you can expect in return.
Last updated: 2026-04-16
How to report
- Email: [email protected]
- PGP: public key available on request via the address above (rotated annually)
- Preferred languages: English, Italian, German
- security.txt: /.well-known/security.txt
Please include a clear description, reproduction steps, affected component and version, and any proof-of-concept material. Avoid sharing reports on public channels (social media, forums, GitHub issues) until we have had a chance to triage and remediate.
Safe harbor
SentriKat will not pursue or support legal action against researchers who act in good faith and:
- Avoid privacy violations, service disruption, and data destruction
- Do not access, modify, or exfiltrate data that does not belong to them beyond what is strictly necessary to demonstrate the issue
- Give us a reasonable window to remediate before any public disclosure
- Comply with applicable Swiss, EU, and other relevant laws
If your testing accidentally exposes sensitive data, stop and report it — we will treat it as part of the original report, not as a new finding.
Scope
In scope
sentrikat.com— marketing websiteapp.sentrikat.com— SaaS platformportal.sentrikat.com— customer portalapi.sentrikat.com— license and provisioning APIdocs.sentrikat.com— documentation site- The SentriKat agent and on-premises images distributed from the portal
Out of scope
- Volumetric DoS or rate-limit bypass via brute force
- Social engineering of SentriKat staff, customers, or suppliers
- Reports from automated scanners without a working exploit
- Missing HTTP headers, cookie flags, or TLS configurations that do not lead to a concrete impact
- Third-party services we use as sub-processors (please report directly to them)
Our response commitments
- First response: within 2 business days of receiving the report
- Triage and severity assessment: within 5 business days
- Remediation target: critical issues fixed within 30 days; high within 60; medium and below within the next scheduled release window
- Credit: researchers are credited in release notes and, upon request, on a public hall of fame. Anonymous reports are also accepted.
Bounty program
SentriKat does not currently run a paid bounty program. We are evaluating EU-based platforms (YesWeHack, Intigriti) and will update this page when a program launches. In the meantime we offer goodwill credit — swag, a public acknowledgement, and, for significant findings, a discretionary thank-you payment.