Responsible Disclosure

Effective date: 2026-05-25

Security is our profession. We take vulnerability reports seriously and welcome reports from the security community about issues affecting Sentinel Point Systems infrastructure or the Site.

Scope

The following assets are in scope for responsible disclosure:

• sentinelpointsystems.com (the marketing website)
• Email infrastructure for sentinelpointsystems.com
• Any public-facing service explicitly owned by Sentinel Point Systems LLC

Out of scope

• Third-party services we use (Cloudflare, Formspree, Calendly, Google) - report those issues directly to the relevant provider
• Client environments tested under a Sentinel Point Systems engagement - those are governed by the engagement's terms and the client's own disclosure program
• Theoretical vulnerabilities without a proof of concept
• Reports generated solely by automated scanners
• Issues that require physical access, social engineering, or denial-of-service
• Missing security headers without demonstrable impact
• Outdated software disclosures without a working exploit affecting our deployment

How to report

Send a detailed report to security@sentinelpointsystems.com including:

• A clear description of the issue and its impact
• Steps to reproduce, including any affected URL, parameter, or payload
• Proof-of-concept output, screenshots, or request and response captures
• Your contact information so we can follow up

If the report contains sensitive material, encrypt it. PGP key available on request.

Our commitments

• Acknowledge receipt of your report within 3 business days
• Provide an initial triage and validity assessment within 10 business days
• Keep you informed of remediation progress
• Credit you in any public communication if you wish, with your permission
• Not pursue legal action against good-faith researchers acting within this policy

Safe harbor

We consider security research and reporting activities performed in accordance with this policy to be authorized activity. We will not initiate or support legal action against you for accidental, good-faith violations of this policy, provided you:

• Avoid accessing, modifying, or destroying data that is not your own
• Do not exfiltrate data beyond what is minimally necessary to demonstrate the issue
• Do not disclose the issue publicly until we have had a reasonable opportunity to address it
• Do not conduct testing that degrades the availability of our services
• Do not violate any applicable laws

Bounty

We do not currently offer monetary bug bounties. Recognition and gratitude are guaranteed; cash is not.

Questions

For questions about this policy or to discuss a report in advance, contact security@sentinelpointsystems.com.