Responsible disclosure

We rely on the security community to help keep Sentrytex safe for the developers and teams who depend on us. If you've found a vulnerability in our service, this page explains how to report it, what's in scope, what to expect from us, and the safe-harbour terms we offer researchers acting in good faith.

TL;DR

• Report to: [email protected]
• Scope: *.sentrytex.com and our public API
• Acknowledgement: within 2 business days
• Triage and severity assessment: within 5 business days
• Safe harbour: yes, for good-faith research under this policy
• Bug bounty: not at this time — we may add one in future

How to report

Email [email protected] with:

1. A clear description of the issue
2. Steps to reproduce
3. The impact you believe it has
4. Any proof-of-concept code, screenshots, or HTTP requests/responses

If you'd like to encrypt your report, our PGP public key is published at https://www.sentrytex.com/.well-known/security.txt (publication is pending — see the BUILDER note in the page source).

Please do not file vulnerability reports through public channels (GitHub issues, X, support chat). Keep the report private until we've had a chance to fix it.

What's in scope

• The Sentrytex web application: www.sentrytex.com and any subdomain on *.sentrytex.com
• The public API documented at /docs/api
• Authentication, session handling, and account flows
• Billing flows handled inside the Sentrytex application
• Our handling of customer data and alert delivery

What's out of scope

• Social engineering of Sentrytex employees, contractors, or customers
• Physical attacks against Sentrytex offices or infrastructure
• Denial-of-service attacks, volumetric tests, or anything intended to degrade service for other users
• Vulnerabilities in third-party services that Sentrytex uses (please report those to the relevant vendor — Lemon Squeezy for payments, our hosting and email providers, etc.)
• Self-XSS that requires the victim to paste attacker-supplied content into the browser console
• Reports based purely on automated scanner output without a working proof of concept
• Missing security headers without a demonstrated exploit path
• Best-practice recommendationsthat don't correspond to a concrete vulnerability — these are welcome as feedback, but they don't fall under this policy
• Reports against staging or preview environments unless the vulnerability also affects production

Our process

1. Acknowledgement— within 2 business days, a human at Sentrytex will confirm we've received your report
2. Triage— within 5 business days, we'll confirm whether the issue reproduces, assign a severity (critical / high / medium / low), and tell you our expected fix window
3. Fix — we prioritise critical and high issues; remediation timelines depend on complexity
4. Coordinated disclosure— once a fix is shipped, we'll agree a disclosure timeline with you. We're happy to credit researchers publicly (with your consent) in a security advisory and on this page

If at any point you don't hear back when you expect to, email us again and reference the original thread. We'd rather hear from you twice than miss the report.

Safe harbour

We will not pursue legal action against, or report to law enforcement, security researchers who:

• Act in good faith under this policy
• Stay within the scope defined above
• Avoid privacy violations, destruction of data, or interruption of service for users other than themselves
• Use only test accounts (or accounts they own) when demonstrating the issue
• Give us reasonable time to investigate and fix the issue before any public disclosure
• Don't extort, threaten, or attempt to monetise the vulnerability outside this process

If a third party initiates legal action against a researcher who complied with this policy, we will make our authorisation under this policy known to the third party.

Bug bounty

Sentrytex does not currently run a paid bug-bounty programme. We may add one in future. In the meantime, we genuinely appreciate disclosure reports, and — with your consent — we'll credit researchers on this page and in the corresponding security advisory.

Contact

• Vulnerability reports: [email protected]
• General security questions: see our security overview
• Data protection requests: see our privacy policy

Thank you for taking the time to make Sentrytex safer.