Skip to content

Security

Found a vulnerability?
We'd like to hear from you.

Plynf ships with a published threat model and a 90-day fix window. The shortest path to a patch is a direct, signed report.

Report

security@plynf.com

PGP fingerprint D4C9 3F2B 8A11 6E04 9C7D · 2210 5F8E AA01 7BB3 9F8E. Public key on the GitHub org keyring. Encrypt anything with high-impact details.

Please include: affected component, reproduction steps, observed impact, and a suggested severity. Proof-of-concept code is welcome but not required.

What you can expect

  • Within 24 hours: acknowledgement and a triage ticket reference.
  • Within 7 days: initial severity assessment and a target fix date.
  • Within 90 days: public patch released and CVE assigned where applicable.
  • Always: attribution in the release notes if you'd like it, and a position on the Plynf security wall of fame.

Scope

In scope: the runtime services (workspace, gateway, identity, channel, workflow, observability), the SDK packages on PyPI, npm, pkg.go.dev, Swift Package Index and Maven Central, the marketing site, and the hosted cloud product.

Out of scope: third-party services we connect to (please report those upstream), social-engineering scenarios against staff, denial-of-service via brute-force traffic, and reports generated by automated scanners without manual confirmation.

Bounty

We pay for valid reports on a sliding scale based on severity and impact:

Critical
€8,000+
High
€2,500+
Medium
€800+
Low
€200+

Final amount depends on exploitability, blast radius, and quality of the report. We do not pay for theoretical issues without a working proof of concept.

Public posture

  • Threat model published at docs/threat-model.md
  • Dependencies scanned daily by Dependabot, results pinned in CI
  • SBOM generated for every release, signed with cosign
  • SOC 2 Type II in progress (target Q4 2026), ISO 27001 scoped for 2027