Skip to main content
PathMon

Version 1.1. Last updated: 20 April 2026.

Vulnerability Disclosure Policy

PatchMon LTD welcomes reports from security researchers and members of the public that help keep PatchMon, PatchMon Cloud, and our customers safe. This policy explains what to test, how to report, what to expect, and our safe-harbour commitment.

Email security@patchmon.netsecurity.txt

1. Reporting Channel

Send vulnerability reports to security@patchmon.net. We monitor the inbox during business hours and page for anything urgent.

PGP encryption is welcomed but not required. Our PGP public key can be requested by emailing security@patchmon.net.

Please do not send vulnerability reports to general support addresses, social media, or incidents@patchmon.net (which is reserved for confirmed live incidents).

2. Scope

2.1 In Scope

  • patchmon.net and all PatchMon-operated subdomains.
  • PatchMon Cloud application, API (/api/v1), authentication flows (including OIDC SSO), session management, and tenant isolation.
  • PatchMon Cloud WebSocket endpoints.
  • PatchMon open-source repositories under the PatchMon GitHub organisation (server, agent, frontend).
  • Published agent binaries and container images from PatchMon release channels.
  • Install and update scripts distributed from patchmon.net.
  • status.patchmon.net and docs.patchmon.net.

2.2 Out of Scope

  • Third-party services operated by our sub-processors (IONOS, 9 Technology Group Ltd, Stripe, GitHub, Hiscox). Report these directly to the provider.
  • Self-hosted PatchMon deployments on customer infrastructure. Report software issues here; deployments are the customer's responsibility.
  • Issues in third-party dependencies where PatchMon does not own the fix.
  • Our customers' or partners' infrastructure.
  • Non-public test, development, and staging environments.

2.3 Activities That Are Never Authorised

  • Denial of service, stress testing, or resource exhaustion.
  • Social engineering of staff, customers, or sub-processors.
  • Physical attacks on offices or data-centre facilities.
  • Phishing or pretexting.
  • Accessing, modifying, or deleting data that does not belong to you.
  • Exfiltrating or retaining customer data; pivoting into a customer's managed hosts via our SSH or RDP proxies.
  • Public disclosure before the coordinated disclosure window has closed.

3. What We Want to Hear About

  • Authentication or authorisation bypass.
  • Injection (SQL, command, template, XSS).
  • Server-side request forgery, IDOR, broken access control.
  • Privilege escalation, including tenant-to-tenant boundary breaches.
  • Remote code execution.
  • Cryptographic weaknesses with practical impact.
  • Sensitive data exposure.
  • Supply-chain issues in PatchMon-owned build or release pipelines.
  • Agent-update or agent-authentication bypass.
  • Business-logic flaws with material impact.

4. Issues Typically Out of Scope or Low Impact

We receive many reports of the following; unless you can demonstrate concrete exploitation or material impact, we are unlikely to act on them:

  • Missing HTTP security headers without a demonstrated exploit.
  • Missing SPF/DKIM/DMARC on non-mail domains.
  • SSL/TLS scanner findings without a demonstrated exploit against modern clients.
  • Self-XSS or XSS requiring a compromised browser.
  • Clickjacking on pages without sensitive state-changing actions.
  • Missing rate limits on endpoints with no sensitive effect.
  • Username enumeration without another combined flaw.
  • Automated scanner output without manual verification of impact.

5. Coordinated Disclosure Timeline

  • Acknowledgement: within 2 business days (auto-reply within minutes).
  • Initial triage and severity assessment: within 5 business days.
  • Status updates during remediation: at least every 14 calendar days.
  • Standard remediation window: 90 calendar days from acknowledgement.
  • Public disclosure: after remediation, or at day 90, whichever is earlier. Extensions by mutual agreement for unusually complex issues.
  • Critical vulnerabilities under active exploitation: emergency patch target of 7 calendar days where technically feasible.

6. Safe Harbour

PatchMon LTD considers security research conducted in good faith under this policy to be:

  • Authorised with respect to any applicable anti-hacking laws, including the UK Computer Misuse Act 1990.
  • Authorised with respect to any applicable anti-circumvention laws.
  • Exempt from restrictions in our Terms of Service that would otherwise interfere with research, for the limited purpose of this policy.
  • Lawful, helpful to our customers, and appreciated.

Safe harbour is conditional on following this policy in full, not exfiltrating customer data, stopping and contacting us if you encounter personal data that is not yours, and not disrupting service beyond what is necessary to demonstrate the vulnerability. If you are uncertain whether a planned activity is covered, ask us first.

7. What to Include in a Report

  • A short summary of the issue.
  • Exact target (URL, API endpoint, binary version, container tag, commit hash).
  • Environment in which you tested (production, self-hosted, docker-compose, version).
  • Step-by-step reproduction instructions.
  • Proof of concept (minimum necessary to demonstrate impact).
  • Expected vs. actual behaviour.
  • Impact assessment.
  • Whether you believe any data was accessed (yours or anyone else's).
  • Suggested remediation, if you have one.
  • Your name or handle, and whether you wish to be credited publicly.

8. Recognition and Rewards

PatchMon LTD does not currently operate a paid bug-bounty programme. We recognise researchers who report valid vulnerabilities in good faith by:

  • Crediting them on our public acknowledgements page (with consent).
  • Providing a written acknowledgement suitable for CV or portfolio use.
  • At our discretion, offering swag, account credit, or other non-monetary recognition for exceptional reports.

9. Data You Encounter

If you inadvertently access personal data:

  1. Stop and preserve no more than the minimum necessary to demonstrate the issue.
  2. Do not read further.
  3. Do not share or store the data.
  4. Let us know immediately at security@patchmon.net.

Handling a report in this way preserves safe harbour. PatchMon may treat the event as a potential breach under our Breach Notification Procedure; researchers acting in good faith will not be the subject of enforcement by PatchMon.

10. Jurisdiction

This policy is governed by the laws of England and Wales. Nothing here limits your legal right to report a vulnerability to a regulator, law-enforcement authority, or other supervisory body.

11. Review

This policy is reviewed annually and whenever PatchMon launches a new service, a material change occurs in applicable law, or a vulnerability or incident indicates the policy needs refinement.

Quick Links