Security Disclosures

Secure disclosure of discovered vulnerabilities

We take the security of our websites and client assets seriously. If you're a security researcher (also known as an ethical hacker) and you've discovered a potential vulnerability, we appreciate your efforts to disclose it responsibly.

How to Report a Vulnerability

Please email security@pivale.co with details of the issue. If your report includes sensitive information, we request that you encrypt it with our GPG public key (below) and attach it to your email.

If you're unsure whether your findings are sensitive, please email us first and we can advise how to proceed.

Guidelines for Reporting

  • Provide as much detail as possible (e.g. affected URLs, payloads, steps to reproduce).
  • Don’t test against live systems in a way that could impact service availability.
  • Don’t access, modify or delete data that doesn’t belong to you.
  • Give us a reasonable amount of time to investigate and fix any issues before making anything public.

We are not currently part of a bug bounty programme, so financial rewards are not offered. However, we are happy to credit researchers who follow responsible disclosure practices. If you'd like to be acknowledged, let us know and share a name or profile link you'd like us to list.

Secure Communication with GPG

You can use our GPG public key to encrypt your message. Here’s how to use it depending on your platform:

Windows

  1. Install Gpg4win.
  2. Import our public key using Kleopatra or by command line:

    gpg --import path/to/pivale-public-key.asc
  3. Encrypt your message:

    gpg --encrypt --armor --recipient E592EE48189BCC1C8600727555E9A3B130713482 message.txt

macOS

  1. Install GPG Tools from https://gpgtools.org.
  2. Import our public key:

    gpg --import path/to/pivale-public-key.asc
  3. Encrypt your message:

    gpg --encrypt --armor --recipient E592EE48189BCC1C8600727555E9A3B130713482 message.txt

Linux

  1. Install GPG if not already installed:

    sudo apt install gnupg   # Debian/Ubuntu
    sudo yum install gnupg   # RHEL/CentOS
  2. Import our public key:

    gpg --import path/to/pivale-public-key.asc
  3. Encrypt your message:

    gpg --encrypt --armor --recipient E592EE48189BCC1C8600727555E9A3B130713482 message.txt
PGP key Dropdown

Please use this PGP key for encrypting your disclosure message:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGdhhZEBEADK+zk+bmy2acEPSWTm/2P2ZDm7zJHzI0FUf951H/ybgfW752Jz
yxvbPYducgphVKMub/dmAKkGNsS+CS8omvIPloqKwvPG550BYmLFEwX4kK00zdT+
9D+ajjldongbrKCYPYmy1CILKfHnipAhNoiwqDHwfpSZTbnVoc4nPmT1PuO/c43Z
f4W8LIMGtC/sehIu9zWWYBoz48I0VtEeDc5zN0XWiUPOtE4oUt/BzKtYiLcXOWTO
DqiouTq+t5nl+BmQ8G3bA/k+x30D9bQkfnxA/OA9rZ1+h0L83G8+HXTx6iHjKZhI
Qv1PovgcwNNWRwzjFVXtAjI0LpONQEpXOIBsosQ/pd3MLFs8JrCR67O7V9oUmpzH
Uoytu6f1g4eofhwevINwzxUIBNt7SFlarQD3dmBelylWaEGkXSlfYtBH+YKAhMyk
QQvUYGfVlo4nfcd01CSYePARojQFVsTaKFGaV5+Iagx9/4dlGRANVRS12LiZGvCm
TqcM99YduWbm6f8jllgbbR1t1v0PG+kNep7apE5jeEhRX//G5puAArF7qJ/WlCzg
qp/JYprQSzvMJ9ZbPvPaeGJjqjbuI+A1t1WnHJR6rdjBydjKJlnL+Qn3MMAJif3K
b36v6eHoubBK2hpHORIk0OOSxce2fMqxnTvOC5G/9sj3ItWUMz1On+W0pwARAQAB
tCVCYXJyeSBGaXNoZXIgPGJhcnJ5LmZpc2hlckBwaXZhbGUuY28+iQJRBBMBCAA7
FiEE5ZLuSBibzByGAHJ1VemjsTBxNIIFAmdhhZECGwMFCwkIBwICIgIGFQoJCAsC
BBYCAwECHgcCF4AACgkQVemjsTBxNIKBjBAAyr324/sSjvILKYKVHtmYmPic4N2q
KRLPDBPOY5J2Fa1TKVD7mkHK3tHiqy5hsBDcHmjk1EEjFM5ayZelCuAtFWMRZAh1
LG+p5JtiYmvtIhC94aNiaY3WbbgQS+tIBHSz7vz22U41YVqL98Fzh+iBjJDUPn+T
LKCKEuiEVJNWjzolzLHUFvDLqsbFjt66H6i1lFF9T3kM+UVjg+KK5PnvgSCsaXkM
5qdEsez1lh9ZtKWTksEfQKm1QYZs6P0r5MT4nlvpz7dTXFLUC9dfUw6Azd469KNy
bfX7Tndd83vqU3EU4OmczCZMH92xI0lONvAJD6XRpSlYihew4Q9qWZN/Ra+Ucp+2
YxiDiAEIWoPlMPRmcRfrVComRQhLbFDY0B6GYsS6Gc5AWis4HEdRlxTTRgMNQ/9r
J9I8mOMyNtSzrF+DiSey7zy0eWEi2t01IUQl0S0Qu+DEopUZnxm044By9cJph6Dr
K9Y+lIRyT207XU3GlTEHGdItcPrCa+tyGqgixm76YmFz2E3go1aKITZAC1lJSShx
OiG50E8NvTROwZdkaglVz6kMcmKJnZNJnGsmBuiYu6/PyfxXPNTjEO6CPz103wPa
DtU3ErK7zxDc5mOTVxoKMp2Bne9CmXD27ykYozSwxZzAu/CHi8DATcpCHGhGej4u
lNB05D89165Wxfa5Ag0EZ2GFkQEQALWL+Hb3EsEpvHur93e5orRQvuQ54YngLKld
SRAp6YhcSW7Gg32b9ELeTJAsbQXjyd2JlMIVtwpsp9saQZ0Rg6jgQ/RHYzA0PDWJ
mRyviZZJYxYQHej6rNbsHvFxg4s6KyQuAxEKBEE/BFGlCBPRYLwPKubEnpoMl/Xu
TY98wBIYMdpoBdff854Y7hMz4Ti7YA65JHY3b04apyBrpC4Z4vaV9xA+FygIGu8/
tcOyZrpDLO4bqqQshhkpz0Awsaq4U476lXrBAL0l44UShmWQjX9zRVUohWchjNXL
ZUN+XglfGEhpQZP/KgCRFfxUsYqn0K8+P7Uq0+fkTgBSnYNjXbosuyexPED3MzR2
JCbulYleRiWtgffTxvRfFGIsmdGBS/1uz6zpNDkHUPS9kgG/BpfTKUW5akF+vKJ4
3fA+pRIX17fN4V38J59smAciQVXzXM4KA3tW0cfdZKlvw9J8l7n8eXwcE8R0fJF3
/Ilj+SsXImGOOcasFBeQZDVWkKi0TBYaLJmVDXAseWzDBNEtngWb5sUB9sT/fETU
VtGTNLIWd4FbJYASl1UH11VIOej3NQGUZ+e7MoKrkVXVgrnj4SLnPe121meD2/SO
Lcw3d2iXRN+ueVUczXecwZhyXhqSceQsJq4hCIkitbUTJTS9U3D6nHKNDPhtrEqD
P2sg5jYzABEBAAGJAjYEGAEIACAWIQTlku5IGJvMHIYAcnVV6aOxMHE0ggUCZ2GF
kQIbDAAKCRBV6aOxMHE0giNGEAC/2M5djz6zUdny75aIDZ5CMDI7FMaPL1/782o9
sIV04Wz5909lxD3Hen2PrRIQ5gemjEUoUqPii2rgaXkHFyP/jgxJzpjOZ0levAWf
OjQN8+lkIWtqExBeunOcVm2e+M0ptnfbc+/8YscJrZsq1nto1U0JlfYbb+77qUO+
bnB5Nm6CriXy690iH7bm3TgghxsmT/7dwOhLnQm5JTzO6LZVt9E29DW/kwqx0fYk
WDZiu+HCMoIr0CH4YqdpEWtin0jiX/bOZuexv8Ka/5LY2c1uNsAZT1xTsAtWuw8P
EV/cTNQd/idz9gL/uKF0YWGhJgV0pqfcTkSaCA0XjYhNpbma5R16Ew8aNknF4cuQ
58Yhm/EBETGERBUEk47OZQFvYc4Idcs+b4Xck490YZipyRaIOhAEUA9rveLL2g0F
8bxwjldz75hxFOHJUQQXd8p6g78V1KBjlpQQWdm5+lerIQAmoXNCRbbozlbWRiRI
4mZyK9XyWWjzJIh/Js4epSDAkNPJ1vx8z0nCWUq8soYDDZfyTiMyVBYKXNG4pgsR
/U1i0cjtPAHopaMILKJ2s5kJx07kr6F893qSr+uQ4Oug8vv2PECoaT70m93AWbIa
tlMRmAJPLXVUAHKHVBBC+J44T2UBPXLTzxLkp454bxq+rgYAinlmwvI9y5i/glZo
SmgKtw==
=23vI
-----END PGP PUBLIC KEY BLOCK-----

Acknowledgements

We would like to thank the following individuals for their responsible disclosures:

  • (List will be maintained here)