Vulnerability Disclosure

Our Commitment

The security of the Sentinel infrastructure is our absolute priority. We appreciate the contribution of security researchers and the technical community in identifying potential risks. We are committed to analyzing every report with professionalism and remediating confirmed vulnerabilities as quickly as possible.

Safe Harbor (Legal Protection)

We strongly support the protection of good-faith researchers. As long as your activity complies with this policy, we consider testing to be authorized by law. We will not initiate civil legal action and will not file criminal complaints for security research performed accidentally or in good faith.

Scope of Testing

Please limit your tests strictly to the following systems:

• *.gettingsentinel.com
• api.gettingsentinel.com (WASM Engine)
• Platforma CLI (npx @sentinel/sdk)

Third-party services are explicitly excluded (e.g., Stripe, Lemon Squeezy, core Cloudflare infrastructure, SendGrid).

How to Report

Please contact us directly and privately at:

In your report, include the reproduction steps (PoC), a summary of the impact, and contact details.

SLA (Response Times)

• Acknowledge: We acknowledge receipt of the report within a maximum of 48 hours.
• Triage: We confirm the validity of the vulnerability within 5 business days.
• Remediation: We promise to resolve critical issues in under 24 hours (Zero-Day/Zero-Egress SLA).

Rules of Engagement

To maintain "Safe Harbor" coverage, we ask you to respect the following principles:

• No Data Exfiltration: Do not access, modify, or destroy other users' data (stop immediately once you demonstrate access).
• No Denial of Service: Do not launch DoS/DDoS attacks, spam, or automated endurance tests.
• Coordinated Disclosure: Please give us 90 days to remediate the issue globally before any publication of the vulnerability (Coordinated Vulnerability Disclosure).