- phalanxia.com and all subdomains
- The Phalanxia web application and API
- Authentication and session management
- Injection vulnerabilities (SQL, command, template)
- Broken access control and privilege escalation
- Sensitive data exposure or insecure storage
- Security misconfigurations with material impact
- Server-side request forgery (SSRF)
- Cross-site scripting (XSS) with demonstrated impact
Vulnerability Disclosure Policy
We take the security of Phalanxia and the data entrusted to us seriously. If you believe you have found a security vulnerability, we encourage you to tell us responsibly.
How to report a vulnerability
Send a detailed report to security@phalanxia.com. Please include:
- A clear description of the vulnerability and its potential impact
- Step-by-step reproduction instructions
- Any proof-of-concept code, screenshots, or HTTP request/response samples
- The affected URL, endpoint, or component
- Your contact details for follow-up
We also publish a machine-readable disclosure file at /.well-known/security.txt in accordance with RFC 9116.
What to expect
We aim to acknowledge every valid report and keep researchers informed as we work through remediation. The following timelines are targets and may vary based on complexity.
- Initial acknowledgement: Illustrative 2 business days
- Triage and severity assessment: Illustrative 5 business days
- Remediation target for critical issues: Illustrative 30 days
- Remediation target for high-severity issues: Illustrative 60 days
- Status update cadence: Illustrative every 7 days
Recognition
We genuinely appreciate security researchers who take the time to report issues responsibly. With your permission, we will acknowledge your contribution in our release notes or a dedicated credits section once the issue is resolved.
We do not currently operate a paid bug-bounty program.
- Denial-of-service attacks or volumetric testing
- Social engineering or phishing of Phalanxia employees
- Physical security of our facilities
- Automated scanning that degrades service quality
- Reports targeting third-party services we rely on
- Missing security headers without demonstrated impact
- Self-XSS requiring victim interaction
- Rate-limiting issues without authentication bypass
We will not take legal action against good-faith research.
Phalanxia authorises good-faith security research on the systems listed in scope above. If you conduct your research in accordance with this policy, we will:
- Not pursue civil or criminal action against you for the research
- Not refer your activities to law enforcement
- Work with you to understand and resolve the issue quickly
Good-faith research means you: do not access or modify data that does not belong to you; do not degrade the availability of our services; do not disclose the issue publicly before we have had a reasonable opportunity to remediate it; and limit testing to the minimum necessary to confirm the vulnerability.
This safe-harbor statement is not a blanket authorisation. Activities that fall outside good-faith research — including intentional data access, exfiltration, or service disruption — are not covered.
Found something?
Send your report to our security team. We read every message and will respond as quickly as possible.