Responsible Disclosure.
Responsible disclosure is part of our brand. If you have identified a security issue affecting praetorshield.com, our infrastructure, or a PraetorShield deliverable, we want to know — and we will treat you the way a serious security firm should.
Report to: security@praetorshield.com · PGP key on request. Please include a clear description of the issue, reproduction steps, the impact you believe it has, and any time-sensitive context.
1. In scope
- praetorshield.com (and any sub-domains we operate)
- Authenticated and unauthenticated surfaces on the above
- Engagement deliverables (reports, templates) where a vulnerability in the deliverable itself creates risk to a reader
2. Out of scope
- Findings that require physical access, social engineering of PraetorShield staff, or compromise of an end-user device
- Denial-of-service testing, automated brute-force, or volumetric attacks
- Findings against third-party services we depend on (please report those to the third party)
- Issues that depend on outdated or unsupported browsers
- Theoretical issues without a demonstrable impact
3. Safe harbor
If you act in good faith, comply with this policy, and avoid privacy violations, degradation of service, destruction or alteration of data, and any action that would harm a third party, PraetorShield will:
- Treat your activity as authorized testing for the purpose of investigating and resolving the report.
- Not pursue or support a legal action against you in connection with the report.
- Work with you to understand and resolve the issue promptly.
Safe harbor applies only to your interaction with PraetorShield. It does not waive rights of any third party, and it does not authorize activity against systems PraetorShield does not own or operate.
4. Response timelines
- Within 2 business days — acknowledgement of receipt by a named member of PraetorShield.
- Within 5 business days — initial assessment and a proposed handling path.
- Ongoing — updates at agreed intervals until the issue is resolved or formally closed.
5. Recognition
PraetorShield does not currently operate a paid bug-bounty programme. We do publicly acknowledge researchers who report valid issues, with your consent, on a private "thanks" list maintained by the firm. If you prefer to remain anonymous, that is fully respected.
6. Coordinated disclosure
Public disclosure of an issue you have reported should not occur before the issue is resolved or 90 days have elapsed from initial report, whichever is sooner, unless PraetorShield and the reporter agree otherwise in writing. We will not pressure reporters with the threat of legal action; we expect the same professional courtesy in return.
7. Contact
Reports: security@praetorshield.com
Press & coordination: disclosure@praetorshield.com
Machine-readable details: /.well-known/security.txt