Vulnerability Disclosure Policy

Panguard AI, Inc. ("Panguard") is committed to the security of our platform and the protection of our customers. We welcome and encourage responsible security research. This policy outlines the guidelines for reporting vulnerabilities to us and describes our commitment to working with security researchers in good faith.

1. Scope

The following assets are in scope for this program:

• panguard.ai -- Our primary marketing website and web application
• app.panguard.ai -- The Panguard dashboard and management console
• api.panguard.ai -- The Panguard REST API and GraphQL endpoints
• *.panguard.ai -- Other first-party subdomains operated by Panguard

Mobile applications, open-source libraries published by Panguard on GitHub, and the Panguard endpoint agent are also in scope.

2. Safe Harbor

Panguard will not pursue legal action against security researchers who discover and report vulnerabilities in good faith and in compliance with this policy. Specifically:

• We consider security research conducted in accordance with this policy to be authorized and will not initiate legal action against you
• We will not pursue claims under the Computer Fraud and Abuse Act (CFAA) or equivalent laws for research conducted under this policy
• If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were authorized by us
• We will work with you to understand and resolve issues quickly

This safe harbor applies only to legal claims under Panguard's control and does not bind independent third parties.

3. Reporting Guidelines

When you discover a vulnerability, please follow these guidelines:

3.1 How to Report

• Submit vulnerability reports via email to security@panguard.ai
• Encrypt sensitive reports using our PGP key (see Section 6 below)
• Include a detailed description of the vulnerability, including steps to reproduce, affected systems, and potential impact
• Provide proof of concept where possible, with minimal impact to production systems

3.2 No Public Disclosure

You must not publicly disclose the vulnerability until Panguard has had a reasonable opportunity to investigate and remediate the issue. We request a 90-day disclosure window from the date of your initial report. If we require additional time to address the issue, we will coordinate with you on an appropriate disclosure timeline.

3.3 Good Faith Practices

• Do not access, modify, or delete data belonging to other users
• Do not perform actions that could degrade the Service for other users (e.g., denial of service testing)
• Do not use automated scanning tools at excessive rates against production systems
• Do not exploit a vulnerability beyond what is necessary to demonstrate the issue
• Stop testing and notify us immediately if you encounter any user data during your research

4. Out of Scope

The following vulnerability types and testing methods are out of scope for this program:

• Social engineering attacks (phishing, vishing) against Panguard employees or customers
• Physical attacks against Panguard offices or data centers
• Denial of service (DoS/DDoS) attacks against production systems
• Vulnerabilities in third-party software or services not operated by Panguard
• Spam, email spoofing, or SPF/DKIM/DMARC configuration issues
• Clickjacking on pages with no sensitive actions
• Content injection without demonstrable security impact
• Missing HTTP security headers without a demonstrated exploit
• Vulnerabilities requiring physical access to a user's device

5. Contact

6. PGP Key

For encrypted communications, please use our PGP public key:

7. Hall of Fame

We recognize and appreciate the contributions of security researchers who help us keep Panguard secure. With your permission, we will acknowledge your contribution on our Security Hall of Fame page.