Responsible Disclosure Policy

1. Overview

Pravune takes security seriously and values responsible reporting of suspected vulnerabilities. If you believe you have discovered a security issue affecting Pravune, please tell us promptly and privately so we can investigate and respond.

This policy is intended to define a safe and clear reporting process. It does not give permission to access data, systems, accounts, networks, or environments that you are not authorised to use.

2. Scope

This policy applies to vulnerabilities that directly affect Pravune-owned websites, systems, services, applications, APIs, or infrastructure that Pravune clearly controls.

The following are not in scope unless Pravune has given you written permission:

• Customer systems, customer environments, or customer data.
• Third-party services, platforms, suppliers, or infrastructure not controlled by Pravune.
• Social engineering, phishing, physical security, or attacks against people.
• Denial of service, load testing, spam, or destructive testing.

3. How to report a vulnerability

Please email suspected vulnerabilities to security@pravune.com. Reports should preferably be submitted in English.

Do not publicly disclose the vulnerability or share details with anyone else until Pravune has had a reasonable opportunity to investigate and address the issue.

If your report contains sensitive information, please include only the minimum information needed to explain and verify the issue.

4. What to include in your report

A helpful report allows us to understand, verify, prioritise, and resolve the issue more effectively. Where possible, please include:

5. Permitted security research

When researching potential vulnerabilities, you must act safely, lawfully, and proportionately.

• Reviewing publicly accessible Pravune web pages and services.
• Testing only accounts, systems, data, or environments you are authorised to use.
• Using non-destructive, low-volume testing methods.
• Reporting suspected vulnerabilities promptly and confidentially.
• Stopping testing immediately if you encounter personal data, customer data, credentials, secrets, or non-public information.

6. Prohibited activity

The following activities are not permitted under this policy:

• Accessing, copying, modifying, deleting, downloading, or disclosing data that does not belong to you.
• Disrupting, degrading, or attempting to deny service to Pravune systems or third-party services.
• Using social engineering, phishing, physical attacks, spam, or attacks against Pravune staff, customers, suppliers, or users.
• Uploading malware, backdoors, ransomware, destructive payloads, or persistent unauthorised access mechanisms.
• Attempting to extort payment, threaten disclosure, or publicly disclose a vulnerability before Pravune has had a reasonable opportunity to investigate.
• Testing third-party systems, providers, or customer environments unless you have separate permission from the relevant owner.

7. If you encounter data

If you accidentally access personal data, customer data, credentials, secrets, source code, internal information, or any other non-public information, you must stop testing immediately and report the issue to Pravune.

Do not copy, download, alter, delete, retain, share, or publish the data. Include only the minimum evidence needed to show the issue exists.

8. What to expect from Pravune

When we receive a genuine vulnerability report, we will review it and take appropriate action based on the nature and severity of the issue.

We may not be able to provide detailed updates in every case, especially where the report involves customer data, third-party systems, legal obligations, or security-sensitive information.

9. Recognition

Pravune appreciates responsible reports that help improve security. At this stage, we do not operate a public researcher recognition programme.

If a recognition process is introduced in the future, this policy will be updated.

10. No bounty programme

Pravune does not currently operate a bug bounty, reward, payment, or compensation programme for vulnerability reports.

By submitting a report, you acknowledge that you are not entitled to payment, reward, compensation, or employment from Pravune unless this has been agreed separately in writing.

11. Security.txt

Pravune publishes a security.txt file at /.well-known/security.txt to make vulnerability reporting information easier to locate.

The file provides Pravune’s security contact route, responsible disclosure policy link, preferred reporting language, canonical location, and expiry date.

12. Legal position

This policy does not authorise illegal activity or override applicable law. You are responsible for ensuring your actions are lawful.

Where a researcher acts in good faith, follows this policy, avoids privacy harm, avoids service disruption, and reports promptly and confidentially, Pravune will take that responsible conduct into account when deciding how to respond.

Pravune reserves all rights where activity is unlawful, harmful, destructive, extortionate, negligent, outside the scope of this policy, or not carried out in good faith.

13. Changes to this policy

We may update this Responsible Disclosure Policy from time to time to reflect changes to our systems, reporting process, legal requirements, or security practices. The latest version will be published on this page.