PEN Consultants Logo
Don’t Be a Victim: Find your weaknesses before the criminals do. PEN Consultants can help!

Ethical Disclosure Policy

This policy outlines PEN Consultants’ ethical approach to disclosing security vulnerabilities discovered during our assessments or independent research. All company associates are bound by this policy if any aspect relates to PEN Consultants. Furthermore, our associates operating completely independently “on personal time” are highly encouraged to follow this or a similar policy.

While this policy is built on ethical and responsible conduct, we acknowledge that interpretations of legality in security research may vary. This policy reflects good-faith efforts to protect systems and people, not to exploit or harm.

Goals

  • Protect our Clients, community, and others from vulnerabilities that affect systems and data.
  • Establish a framework that builds trust, minimizes risk, and avoids the appearance of unethical or dangerous behavior.
  • Establish a balance for the need to “prove” a suspected vulnerability exists (otherwise reporting on such would be spam), with the thin gray line between “verification” and “unauthorized computer access”.

Our Principles

Core Ethical Foundations

  • Transparency: Avoid intentional anonymization techniques such as VPNs or proxies, unless explicitly authorized, to ensure transparency of research activity. IP addresses, dates, times, etc., are to be disclosed with reporting.
  • Good Samaritan: Do not exploit vulnerabilities for personal or financial gain; instead, commit time and resources to help those we find in need. Continuing without notifying affected parties would be immoral.
  • No Harm: Prioritize the safety, privacy, business continuity, and availability of all parties. (e.g., No DoS attacks, heavy scanning or enumeration, touching critical infrastructure or life-impacting equipment, etc.)
  • Responsible Disclosure: Disclose sensitive vulnerability details only to those who are the responsible parties and continue to maintain a level of confidentiality until informed consent is given to do otherwise.
  • Client-First: Notify affected parties in a timely, secure, and professional manner, balancing our obligation to protect our Clients and affected parties with responsible disclosure principles.

Operational Guidelines

  • Minimize Verification: Do not access or retain data beyond what is necessary to demonstrate a vulnerability. Place a “limit” on queries, record redacted screenshots of datasets as opposed to downloading them, etc.
  • Self Exploitation: When possible and practical, limit testing and access to “test” accounts and tenants. Generally, violating EULAs/ToCs regarding “multiple accounts” is preferred over accessing other user accounts.
  • Data Integrity: Do not modify, delete, or add data, software, or “backdoors” outside of personally owned accounts or tenants.
  • Light Touch: Avoid excessive requests (e.g., thousands) unless absolutely necessary and only after peer review. Vulnerability scans against shared infrastructure are prohibited unless authorized by EULAs/ToCs. Generally, requests against any single endpoint should be limited to a few dozen, with meaningful delays introduced.
  • Self-Host: If the solution can be self-hosted “locally”, that is preferred and also enables more aggressive analysis, assuming it does not “trigger” requests to shared infrastructure/services.
  • Records: Maintain a best effort approach to keep detailed records and notes for all activity. (e.g., Dates, times, source IP, logs, command line history, Burp project file, etc.)
  • Due Diligence: Best effort to provide detailed, actionable recommendations for every disclosure.
  • Level of Effort: Time spent attempting to disclose and report should correlate to the seriousness of the vulnerability. (ex. An info/low-level may not warrant any time, medium severity may warrant a couple of attempts to disclose, whereas a high or critical severity deserves hours/days attempting to disclose, report, and help resolving)
  • All Details: Provide all known details to the Responsible Party, and respond to any reasonable requests for additional information. “Pay for details” exhortations are forbidden in the strongest terms and will be referred to law enforcement.
  • No Sales Pitch: Often, an industry standard recommendation may suggest getting a pentest, but that should clearly indicate “from any reputable firm” and, at most, only offer PEN Consultants as one option.

Legal & Policy Compliance

  • Compliance: All activities are conducted within the bounds of contracts, program rules, and/or these established guidelines.
  • Legal: Make every effort to comply with all applicable laws and regulations, understanding that their interpretation can be inconsistent or unclear.
  • Compensation: Never ask for money or a reward; attempt to refuse it if offered.
  • Client Confidentiality: Maintain full adherence to all contractual obligations.
  • Limit Need-To-Know: Make a best effort to identify and contact the responsible party for any discovered vulnerability. If the responsible party is unknown or unresponsive, partial or full disclosure may be made to a relevant customer or affiliate.
  • Law Enforcement: Base guidelines and principles on what various law enforcement representatives have shared over the years.

Safety & Support

  • Trusted Peer(s): It is advised to collaborate with one or more trusted peers during every step of this research and disclosure, as there is wisdom and safety in a group of counsellors. Said peers must also adhere to this policy.
  • Threats: There are high risks with no reward for a reporter of a vulnerability. Therefore, if a researcher or reporting entity is threatened during disclosure, the process may be immediately suspended. There is zero tolerance for threats.
  • Law Enforcement: We reserve the right to involve our federal law enforcement contacts in response to threats against PEN Consultants, our associates, or others, or in cases involving activity that is generally considered mandatory to report.

Research Scope

Including, but not limited to:

  • Current or prospective Clients, partners, affiliates, etc. (e.g., a value-add)
  • Incidental (e.g., found during an engagement, but outside of scope or contractual confidentiality obligations)
  • Business or personal related (e.g., services, accounts, software, hardware, etc., used personally or as a business)
  • Public (e.g., broad or bulk research)
  • Bug Bounty Programs (e.g., where additional, more aggressive analysis may be authorized)

Note: It is the prerogative of both the security researcher and reporting entity to avoid research, analysis, verification, or reporting related to entities that may violate applicable laws, personal ethics, or moral boundaries.

Disclosure Scenarios

Our Clients

Vulnerabilities discovered in which our Client is the responsible party are disclosed only to our Client - never publicly without explicit, written Client approval.

These private disclosures will be in accordance with established non-disclosure and confidentiality agreements. If those agreements do not yet exist for an entity, but we are in business negotiations or have a reasonable expectation that the entity will soon be a Client, we will generally act as if they were.

For clarity, and in accordance with contractual language: Vulnerabilities discovered in 3rd party software will be sent to the vendor directly to ensure they can protect all of their customers. Such submission will be made in private to the vendor, thus giving time for a patch to be created, and time for customers to patch their systems before becoming publicly known. At most, the Findings and Recommendations Report may only contain a high-level summary of the finding (ex., a remote code execution vulnerability was found in product X from vendor Y).

Independent Research

When a vulnerability is discovered in an organization’s vulnerable asset, the following protocol should be followed:

  1. Attempt to notify the affected party via secure and appropriate channels - see “Escalating Contact Methods”
  2. Allow a reasonable remediation window (typically 30 - 90 days), unless active exploitation is observed
  3. Public disclosure may occur after the remediation window has passed or if the affected party remains unresponsive, but only following a thorough risk evaluation. If the vulnerability directly impacts PEN Consultants' clients, it will ultimately be disclosed. In other cases, it may be disclosed publicly, especially if no patch is available or if the risk is widespread and significant.

Critical Risks

In cases where vulnerabilities pose imminent risk to public safety or privacy, the disclosure may be expedited to appropriate government entities, law enforcement authorities, CERTs, platform maintainers, and, if applicable, PEN Consultants' affected clients in a responsible, safe, and meaningful manner.

Public Research

In some cases, broad sweeping discovery may be conducted for a particular vulnerability - potentially extending in scope to the entire Internet.

This type of bulk research and analysis will often be published in a public medium such as a blog post or research paper in such a way to obfuscate specific affected parties, but still disclosing the vulnerability details up to and including full proof of concept.

Escalating Contact Methods

  1. Check: ~/.well-known/security.txt on the main website
  2. Search: vulnerability disclosure OR bug bounty
  3. Email to a small group of likely responsible parties if email addresses are known or discoverable - developers, CISO, security@, etc. Note: Exploiting common account enumeration vulnerabilities found in nearly all leading email solutions is acceptable when attempting to find email addresses for personnel found in OSINT (e.g., LinkedIn, GitHub, online directories, etc.).
  4. Second email to an expanded group such as helpdesk@, info@, etc.
  5. DM on social media
  6. Phone call
  7. Engage a multitude of peers from this point forward - is proceeding warranted?
  8. Reach out to affected parties/customers of the solution
  9. Escalate to a “I found a serious vulnerability in X, I’ve tried contacting you privately, but you will not return my emails|calls” public post on social media
  10. Release a public statement with a balance of detail and proof-of-validity in an attempt to establish the credibility of the claim without disclosing the vulnerability details.
  11. Scorched Earth: As a last resort, and only after exhaustive good-faith attempts to engage the Responsible Party, a full public disclosure with proof-of-concept may be released to ensure mitigation by affected users.

Notes:

  • Depending on severity, the number of steps taken could be limited.
  • Generally, do NOT use online contact forms - those rarely go to the correct party, and the formatting is not conducive for sending initial proof-of-validity.

Definitions

  • Vulnerable Asset: product, service, software, mobile app, system, component, etc. be it a direct or a 3rd party asset
  • Reporting Entity: The person or organization disclosing the vulnerability - based on company-sponsored research, part of Client work, on behalf of a security researcher or 3rd party, etc.
  • Security Researcher: The individual or team who discovers the vulnerability - independent researcher, someone working for another organization, a hobbyist, or similar.
  • Client: An organization that has, or is forming, a business relationship with the reporting entity and is either the owner of the vulnerable asset or has a vested security interest in the vulnerability details.
  • Responsible Party: The creator, maintainer, or distributor of the Vulnerable Asset. The ones who likely need to correct the issue.
  • Affected Party: The organization(s) or individual(s) potentially impacted by the vulnerability, including users, customers, or downstream integrators.
  • Public: The broader user base that might be impacted by the vulnerability if it's exploited or not patched.

Contact

  • If you believe PEN Consultants has identified or disclosed a vulnerability related to your organization and you have questions or concerns about our process, please Contact Us.
  • If you would like to report a vulnerability found in PEN Consultants' systems or software, or need help coordinating a disclosure with someone else, please visit Vulnerability Disclosure Policy.

Disclaimer

This policy is subject to change based on evolving legal, ethical, or technical considerations. PEN Consultants reserves the right to update these practices without prior notice.

Copyright © 2025 PEN Consultants. All Rights Reserved. View Sitemap
magnifiercrosschevron-down