Security Disclosure Policy
Report suspected security vulnerabilities in PitCrew-owned systems.
Last Updated: July 2026
Reporting a Vulnerability
If you believe you have found a security vulnerability in a PitCrew Labs website, application, API, browser extension, or customer-facing workflow, please report it to security@pitcrewlabs.ai.
Please include enough detail for us to understand and reproduce the issue, such as affected URLs, steps to reproduce, screenshots or proof-of-concept details that do not expose sensitive data, and your contact information for follow-up.
Response Expectations
We aim to acknowledge vulnerability reports within five business days. After acknowledgement, we will triage the report, may request additional information, and will communicate remediation status or expected next steps when appropriate.
We do not guarantee a fixed remediation timeline for every issue. Timing depends on severity, exploitability, affected systems, customer impact, and the complexity of a safe fix.
Scope
This policy applies to PitCrew-owned public websites, applications, APIs, browser extensions, and related customer-facing workflows. Do not test third-party systems, customer environments, or non-public systems unless you have explicit written authorization.
Rules of Engagement
When researching or reporting a potential issue, do not:
- Access, modify, delete, exfiltrate, or disclose PHI, customer data, personal data, secrets, or credentials.
- Perform denial-of-service, load testing, destructive testing, spam, phishing, social engineering, or physical attacks.
- Attempt persistence, backdoors, lateral movement, or privilege escalation beyond what is necessary to demonstrate the issue safely.
- Test customer tenants, customer systems, or third-party services without authorization.
- Publicly disclose a vulnerability before PitCrew has had a reasonable opportunity to investigate and remediate it.
Safe Harbor
If you make a good-faith effort to follow this policy, avoid privacy violations, avoid service disruption, avoid data access or destruction, and report promptly, PitCrew will not pursue legal action against you for the security research itself. This safe harbor does not apply to activity that is malicious, destructive, deceptive, privacy-invasive, or outside the scope of this policy.
No Bug Bounty
PitCrew does not currently offer a public bug bounty or monetary rewards for vulnerability reports unless explicitly agreed in writing before testing.
Security.txt
Our machine-readable security contact file is available at /.well-known/security.txt.