Vulnerability Disclosure Policy

Found a vulnerability in our platform? We want to hear about it. This policy covers scope, how to report, what to expect from us, and our safe harbor commitment to good-faith researchers.

Last updated: 12 July 2026

Our commitment

Pwned Labs welcomes reports from security researchers acting in good faith. We take every report seriously, we will work with you to understand and remediate valid issues, and we will not pursue legal action against research conducted in line with this policy.

Scope

In scope: pwnedlabs.io and its subdomains, the Pwned Labs Academy platform, and our public APIs.

Out of scope:

  • Our training labs, cyber ranges, and lab infrastructure. These environments are intentionally vulnerable by design, so vulnerabilities inside lab scenarios are features, not findings.
  • Third-party services we use (report those to the vendor).
  • Denial-of-service testing, spam, social engineering of staff or customers, and physical attacks.
  • Automated scanning that degrades service for other users.

How to report

Email security@pwnedlabs.io with a description of the issue, steps to reproduce, the affected URL or component, and your assessment of impact. A proof of concept helps; please keep it minimal and non-destructive. Machine-readable details are in our security.txt.

What to expect

  • Acknowledgement of your report within 3 business days.
  • Updates as we triage and remediate.
  • Credit for your finding, with your permission, once resolved.

We do not currently operate a paid bug bounty programme.

Safe harbor

Research conducted in good faith and in line with this policy is authorised. Do not access, modify, or exfiltrate data belonging to other users beyond the minimum needed to demonstrate an issue; do not degrade the service; stop and report immediately if you encounter personal data. If you follow these rules, we will not initiate legal action against you and will consider your research authorised under applicable anti-hacking laws.