PYR-00

Security posture and vulnerability disclosure.

TLS A+, security headers A+, published security.txt and vulnerability disclosure policy. If you have found an issue, here is where and how to report it.

Report a vulnerability

PYR-01

Current posture

TLS A+ (Qualys SSL Labs) Security headers A+ (Mozilla Observatory, 130/130) Content-Security-Policy Restrictive, nonce-based, no unsafe-inline HSTS Enabled, preload ready, max-age=2 years DNSSEC Enabled DMARC p=reject security.txt /.well-known/security.txt

PYR-02

Vulnerability disclosure

SEC-01

Vulnerability Disclosure Policy

Pyralink welcomes responsible disclosure. We acknowledge receipt within 48 hours, triage within 5 business days, and issue a fix or mitigation within 90 days of confirmation. Researchers acting in good faith under this policy will not face legal action.

SEC-02

Scope

In-scope: all public-facing web applications, APIs, and infrastructure under pyralink.co.uk and associated subdomains. Out of scope: third-party services, physical security, social engineering, denial-of-service, and client-owned systems.

SEC-03

Safe Harbour

Research conducted under this policy is considered authorised access. We will not pursue legal action for good-faith, policy-compliant security research.

SEC-04

Submission Guidelines

Submit via security@pyralink.co.uk using our PGP key (available via security.txt). Include: target URL, description, reproduction steps, and proof of concept if applicable.

SEC-05

Acknowledgement

We do not offer bounty payments. Valid policy-compliant disclosures will be publicly acknowledged unless anonymity is requested.

PYR-03

Contact

Security reports: security@pyralink.co.uk

PGP key: /.well-known/security.txt

General: info@pyralink.co.uk

PYR-CTA

Need help with your own security posture?

Book a free 30-minute security review. One specific recommendation you can action immediately.

Book a security review