Portchain
Vulnerability disclosure
1. Overview
Portchain welcomes responsible security research. This policy outlines how to share vulnerability findings with us safely and effectively.
2. Scope
In-scope systems:
- All *.portchain.com domains and subdomains
Out-of-scope systems:
- Third-party services, cloud providers, partner systems, and any portchain-affiliated hardware not explicitly in scope
- Social engineering, phishing, physical attacks, mail/social platforms, unless explicitly permitted and coordinated in writing
3. Safe Harbor
As long as you respect this policy, Portchain cultivates a safe harbor environment. You are authorized to test within scope, where:
- You do not attempt privilege escalation, denial-of-service, or exfiltrate customer data.
- You do not access production customer data or disrupt customer operations (read-only testing only).
- You avoid synthetic heavy load or destructive techniques.
- You provide one concise proof-of-concept (PoC) only, no mass scanning, fuzzing, or persistence.
We do not consider this a bounty program. This policy does not authorize any financial transfer or reward; compensation, if any, is at Portchain’s discretion and separate from this policy.
4. Reporting Process
Send your report via email to security@portchain.com with the following details:
- Affected asset(s): hostname(s), IP, or service name
- Description: concise summary of the issue and its impact
- Steps to reproduce: clear, minimal steps or PoC (don’t attach payloads, plain text only)
- Timestamp and your timezone
- Your contact info, name/handle, and optionally your affiliation
- Mitigation suggestions (optional but helpful)
We’ll respond within 3 business days with acknowledgment and a triage plan.
5. Triage & Remediation
- We’ll confirm receipt within 3 business days.
- We’ll keep you informed on status: “triaged”, “in progress”, “fixed”, or “won’t fix”.
- Bug fixes will be rolled out based on severity and operational schedule.
- Once fixed, we’ll coordinate disclosure (you can choose to be credited unless anonymity is requested).
6. Disclosure Coordination
We ask that you not publicly disclose the vulnerability before we’ve released a fix or coordinated disclosure. Please give us up to 90 calendar days to fix and coordinate. If we need more time, we’ll keep you updated.
7. Legal Safe Harbor
As long as you adhere to this policy and only impact in-scope assets with read-only testing, Portchain will not take legal action against you. Your actions are authorized and appreciated.
8. Areas Not Covered
In-scope testing does not include:
- Phishing, social engineering, or physical tests without explicit pre-approval
- Denial of Service (DoS) or capacity stress tests
- Exploit chaining that risks system stability or data destruction
- Disclosure of customer or user data, please do not access, copy, or store it