Security Policy & Vulnerability Disclosure
Last updated: July 12, 2026
Pwned Labs is a security training company, and we hold our own platform to the
same standard we teach. We welcome reports from security researchers who help us
keep our users and infrastructure safe. This page describes how to report a
vulnerability and what you can expect from us in return. It complements our
machine-readable
/.well-known/security.txt file.
How to report
Please send vulnerability reports to:
- Email: [email protected]
- Web: pwnedlabs.io/contact
To help us triage quickly, include where you can:
- A clear description of the issue and its potential impact.
- Step-by-step instructions to reproduce it (proof-of-concept, request/response, or screenshots).
- The affected URL, endpoint, or component, and the time of testing.
- Any accounts or test data you used (do not use other users' accounts).
Scope
In scope:
pwnedlabs.ioand its subdomains that we operate.- Our web application, APIs, and authentication flows.
Out of scope:
- The intentionally vulnerable lab and cyber-range environments — these are designed to be exploited and are part of the training product.
- Findings from automated scanners without a demonstrated, exploitable impact.
- Denial-of-service, volumetric, or brute-force testing.
- Social engineering, phishing, or physical attacks against staff or users.
- Third-party services and SaaS we do not control.
Rules of engagement
- Only test against your own account and data; never access, modify, or destroy data that is not yours.
- Stop testing and report immediately if you encounter personal data belonging to others.
- Do not run attacks that degrade availability or performance for other users.
- Give us a reasonable time to investigate and remediate before any public disclosure.
Our commitment
- We will acknowledge your report within 3 business days.
- We will keep you informed as we investigate and work toward a fix.
- We will not pursue legal action against researchers who act in good faith and follow this policy.
- With your permission, we are happy to credit you once the issue is resolved.
Preferred languages
We accept reports in English.
Questions about this policy? Contact [email protected].