Responsible Disclosure
We take security seriously. If you've found a vulnerability in the Red Team Cockpit platform, we want to hear from you.
Our Commitment
At BIT SENTINEL SECURITY SRL, security is at the core of everything we build. We recognize that independent security researchers play a valuable role in keeping the internet safe. We encourage responsible disclosure of any vulnerabilities found in our platform, website, or related infrastructure.
While we do not offer monetary bounties, we genuinely appreciate the effort and expertise of researchers who report valid findings. We are committed to working with you openly, fixing confirmed vulnerabilities promptly, and acknowledging your contribution.
Scope
The following assets are in scope for responsible disclosure:
- Red Team Cockpit web application (app.redteamcockpit.com)
- Red Team Cockpit marketing website (redteamcockpit.com)
- Red Team Cockpit API endpoints
The following are out of scope:
- Third-party services and integrations not operated by BIT SENTINEL
- Social engineering attacks against BIT SENTINEL employees or customers
- Physical security attacks
- Denial of service (DoS/DDoS) attacks
- Automated scanning or brute force attacks
- Vulnerabilities in outdated browsers or plugins
- Clickjacking on pages with no sensitive actions
- Self-XSS or issues requiring unlikely user interaction
- Email spoofing / SPF / DKIM / DMARC configuration issues
How to Report
Please send your findings to:
To help us investigate and resolve the issue quickly, please include:
- A clear description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Affected URL(s), endpoint(s), or component(s)
- Screenshots, proof-of-concept code, or video recordings where applicable
- Your suggested severity assessment (optional)
- Your name or alias for acknowledgment (if desired)
If possible, encrypt your report using our PGP key (available upon request).
What to Expect
Acknowledgment within 3 business days
We will confirm receipt of your report and provide a point of contact.
Triage and assessment within 10 business days
We will evaluate the severity, confirm the vulnerability, and provide an initial assessment.
Remediation and follow-up
We will work to resolve confirmed vulnerabilities promptly and keep you informed of progress.
Guidelines
When conducting your research, please:
- Act in good faith and avoid actions that could harm users, disrupt services, or compromise data
- Do not access, modify, or delete data belonging to other users
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it
- Only interact with accounts you own or have explicit permission to test
- Stop testing and report immediately if you encounter sensitive data (personal data, credentials, etc.)
- Do not use automated tools that generate excessive traffic or could impact Platform availability
Safe Harbor
If you conduct security research in accordance with this policy, we consider your research to be:
- Authorized and we will not pursue legal action against you
- Exempt from restrictions in our Terms of Service that would otherwise prohibit security testing
- Conducted in good faith, and we will work with you to understand and resolve the issue
We ask that you give us a reasonable timeframe to address confirmed vulnerabilities before any public disclosure.
Recognition
While we do not offer monetary rewards, we value the contributions of security researchers and offer:
- Public acknowledgment on our security hall of fame (with your permission)
- A written letter of appreciation from BIT SENTINEL's security team
- Direct communication with our engineering team during remediation
Qualifying Vulnerabilities
We are particularly interested in findings related to:
Contact
For all security-related reports and inquiries:
BIT SENTINEL SECURITY SRL
Email: [email protected]
Registration: RO34300479
Location: Romania, European Union