Pezel Tech LLC welcomes responsible disclosure of security vulnerabilities in pezeltech.com and the systems we operate. This page describes how to report a vulnerability, what's in scope, and our commitments to you in return.
Reporting a vulnerability
Email
security@pezeltech.com. Encrypt sensitive details if you'd like — request our PGP key in your first message and we'll respond with it.
In scope
- pezeltech.com — the marketing website
- *.pezeltech.com subdomains we operate (e.g.,
www.pezeltech.com)
- Email infrastructure for
@pezeltech.com (SPF / DKIM / DMARC misconfiguration, spoofing vectors)
Out of scope
Please do not report issues in the following — they're either not our systems or we already know about them:
- Third-party services we use — Formspree, Cloudflare, Google Workspace. Report directly to those providers' security teams.
- Social engineering of Pezel staff, customers, or contractors
- Physical attacks against Pezel offices, equipment, or personnel
- Denial-of-service or volumetric attacks (we don't want you running these against us)
- Findings from automated vulnerability scanners without a proof-of-concept demonstrating real impact
- Missing security headers that don't lead to a demonstrable exploit (we already harden CSP, HSTS, X-Frame-Options, etc.)
- Self-XSS that requires the victim to paste attacker-controlled content into their own browser
- Rate-limit issues that don't lead to account takeover or sensitive data exposure
What to include in your report
- Description of the vulnerability and the affected component
- Steps to reproduce, including any required configuration, credentials, or payloads
- Impact assessment — what could an attacker do, and how bad is it?
- Suggested remediation, if you have one (optional but appreciated)
- Whether you'd like to be credited in our acknowledgments, and how you'd like to be credited
Our commitments
- Acknowledge your report within 2 business days
- Provide an initial assessment and timeline within 5 business days
- Keep you informed as we investigate and remediate
- Credit you publicly (with your permission) in our acknowledgments once the issue is resolved
- Not take legal action against researchers acting in good faith under this policy (see Safe harbor below)
Safe harbor
Pezel Tech LLC will not pursue legal action against security researchers who, in good faith:
- Make a reasonable effort to comply with this policy
- Avoid privacy violations, data destruction, or service degradation
- Use only the access necessary to demonstrate the vulnerability — and do not exploit it beyond that
- Do not exfiltrate data beyond what's needed to prove the issue
- Give us a reasonable opportunity to remediate before publicly disclosing
If your security research activities are conducted in line with this policy, we will consider them authorized and protected. If you're unsure whether a planned activity is in scope, email us first at security@pezeltech.com — we'd rather have the conversation than have to interpret your intent later.
Bug bounty
We do not run a paid bug bounty program at this time. We're a small, independent firm and our budget for security research is limited to in-kind rewards — public credit, a written thank-you, and a fast remediation. If that's not enough to motivate the work, we understand.
Machine-readable policy
This policy is also published in machine-readable form at /.well-known/security.txt per RFC 9116. Automated security scanners and disclosure platforms can discover our contact via that file.
Contact
For all security-related inquiries: