How to Report a Security Issue

1. Pick the right channel

2. What to include

Good reports are much easier to triage and fix. Please include as many of the following as you can:

• A short summary of the issue.
• The exact target: URL, API endpoint, binary version, container tag, or commit hash.
• The environment in which you tested (production, self-hosted, docker-compose, version).
• Step-by-step reproduction instructions.
• A proof of concept: the minimum necessary to demonstrate impact.
• Expected vs. actual behaviour.
• An impact assessment (what could an attacker do?).
• Whether you believe any data was accessed (yours or anyone else's).
• A suggested remediation, if you have one.
• Your name or handle, and whether you wish to be credited publicly.

3. Encryption

PGP encryption is welcomed but not required. Our PGP public key is provided on request to security@patchmon.net. See our PGP page for details.

4. What happens next

• Auto-reply within minutes with a ticket reference.
• Acknowledgement within 2 business days from a real person at PatchMon.
• Triage within 5 business days, including a severity assessment.
• Status updates at least every 14 days during remediation.
• Standard 90-day remediation window, or sooner if fixed. Public disclosure afterwards.
• Public credit on our hall of fame if you want it.

If the issue is being actively exploited in the wild, we will aim for an emergency fix within 7 calendar days where technically feasible.

5. Safe harbour

Good-faith research that follows our Vulnerability Disclosure Policy is authorised and will not result in legal action from PatchMon LTD. Please read the full policy before you test.