SECURITY

Responsible Disclosure

We depend on researchers to find what we have missed. If you have found a security issue in our website, our app, or our infrastructure, we want to hear about it before anyone else does.

IN SCOPE

What we want you to test

We are interested in any vulnerability that affects the following assets:

OUT OF SCOPE

Please do not test these

The following are explicitly out of scope. Reports about these will be declined without further review.

• —Denial-of-service, stress testing, fuzzing at scale, or volumetric attacks of any kind against our website, app, or VPN servers.
• —Social engineering of our staff, our users, or our suppliers, including phishing and pretext calls.
• —Physical attacks against people, offices, or infrastructure.
• —Spam, missing or weak security headers without demonstrable impact, software version disclosure, clickjacking on pages without sensitive actions, and similar low-impact findings.
• —Third-party services we do not operate, including Apple, the App Store, and Google AdMob.
• —Findings produced by automated scanners without a working proof of concept.
• —Issues that require physical access to a victim's already-unlocked device.
• —Self-inflicted vulnerabilities, such as data extracted by the user from their own device using a debugger or jailbreak.

HOW TO REPORT

One inbox, encrypted on request

Email support@planckvpn.com.

If your report contains sensitive details, request our PGP fingerprint in your first message and we will respond with the current key. We rotate the key annually.

WHAT TO INCLUDE

A useful report has

• —The affected asset — a URL, an API endpoint, the iOS app version, or a server hostname.
• —Steps to reproduce, with the tools and parameters you used.
• —Your assessment of the impact, in your own words.
• —A suggested fix, if you have one. Optional.
• —The name or handle you would like used in the Hall of Fame, or a request to remain anonymous.

Do not include the personal data of other users in your report. A description of the access path is enough.

OUR RESPONSE

What you can expect from us

• —We acknowledge your report within 3 business days.
• —We provide an initial triage decision within 7 days.
• —We give you a status update at least every 14 days until the issue is closed.
• —We coordinate public disclosure on a 90-day timeline by default. We can extend this if a fix is unusually complex, and we can shorten it for issues under active exploitation. If we ask for either, we will tell you why.

SAFE HARBOR

Good-faith research is authorized

If you make a good-faith effort to comply with this policy during your security research, we will consider your research authorized. We will work with you to understand and resolve the issue, and we will not recommend or pursue legal action related to your research. If a third party initiates legal action against you for activity conducted in accordance with this policy, we will make this authorization known.

This authorization does not extend to:

• —Actions that violate the privacy of our users or staff.
• —Destruction or modification of data that does not belong to you.
• —Service disruption that affects other users.
• —Any activity prohibited by applicable law.

HALL OF FAME

Researchers we owe a thank-you to

We recognize researchers who report qualifying vulnerabilities through this policy by listing them here, with a link of their choosing. Anonymous credit is also available on request.