Acknowledgement
Within 24 hours of receipt, every submission gets a human reply that confirms intake.
Security · Disclosure
Coordinated vulnerability disclosure
Pentrova runs a coordinated disclosure process. We acknowledge every report, triage quickly, and publish details on a cadence we can keep. This page is the single source of truth for the timing we commit to.
Our commitments
-
-
Triage decision
Within 72 hours, we confirm the severity and the fix plan (or explain why we cannot reproduce).
-
Public disclosure
By default 90 days after triage, or coordinated with the reporter if a longer window is required.
Fix windows by severity
Fix timelines are measured from triage, not from intake. Severity ratings follow CVSS v3.1 as a baseline and are adjusted by Pentrova based on blast radius and exploitability.
| Severity | Fix window | Notes |
|---|---|---|
| Critical | 7 days | Active exploit, mass-exposure, or authentication bypass. We ship a fix or a mitigation within 7 calendar days of triage. |
| High | 30 days | Targeted exploitation leading to privilege escalation, tenant isolation break, or significant data exposure. |
| Medium | 90 days | Exploitation requires user interaction, privileged credentials, or a narrow window; impact is bounded. |
| Low | 180 days | Hardening, defense-in-depth, and best-practice items. We batch Low fixes into routine releases. |
Public disclosure
After a fix ships and any coordinated embargo lifts, we publish a write-up on the Blog under the Security tag. Where appropriate, and with the reporter's consent, we credit the finder by name in the write-up.
If the vulnerability lives in a third-party component that Pentrova ships, we follow the upstream project's disclosure schedule rather than our own 90-day default.
CVE assignment
Pentrova requests CVE identifiers from MITRE for every vulnerability that meets any of the following criteria:
- Affects Pentrova-authored software that customers install, run, or embed (GitHub Action, GitLab CI template, CLI).
- Affects a Pentrova-authored library published to npm, PyPI, or an equivalent public registry.
- Affects a Pentrova-operated service where customer isolation or authentication posture is compromised.
The CVE identifier appears in the corresponding security blog post, the security advisory, and any affected release notes. Pentrova is willing to file requests on the reporter's behalf when they prefer not to engage MITRE directly.
How to report
- Security email: [email protected] (PGP key listed in security.txt ).
- Free Tool abuse reports: /security/report-a-concern .