# Security Policy

PNLCS handles billing, customer credentials, payment integrations and reseller workflows for real hosting businesses. A security defect here can affect invoices, customer data and payment flows — we take that seriously.

If you find something, we want to hear about it.

## Supported versions

| Branch | Status |
|---|---|
| `main` (latest tagged release) | Receives security patches |
| Last minor release before `main` | Best-effort backports for critical issues |
| Older releases | Please upgrade |

The current release is shown in the PNLCS admin footer and on the [Releases page](../../releases).

## How to report a vulnerability

**Do not** open a public GitHub issue, discussion, or forum thread for security findings.

### Preferred channel

**Email:** [security@panelica.com](mailto:security@panelica.com)

Please include:

- A clear description of the issue
- The affected component (admin UI, customer portal, API endpoint, payment gateway, registrar adapter, server module, etc.)
- Steps to reproduce — minimal proof-of-concept is ideal
- Impact assessment (what an attacker can achieve, who is affected)
- Your PNLCS version, Laravel version, PHP version, MySQL version
- Any logs, screenshots, or scripts that help us reproduce
- Whether you'd like to be credited (and how)

If your finding includes sensitive data (credentials, tokens, customer info, payment details) please redact it before sending. We can provide a PGP key on request.

### Alternative

If email is impractical, you may use [GitHub's private vulnerability reporting](../../security/advisories/new) on this repository.

## What to expect

| | Target |
|---|---|
| Acknowledgement of your report | Within **48 hours** |
| Initial triage and severity assessment | Within **5 business days** |
| Status updates while we investigate | Weekly, or sooner on critical issues |
| Fix released for critical issues | Typically within **14 days** of confirmation |
| Coordinated disclosure window | **90 days** by default (negotiable) |

We follow coordinated disclosure: we'd like to ship a fix and notify operators before details become public. If you have a hard deadline (conference talk, blog post, regulatory requirement), tell us and we'll work to meet it.

## What's in scope

- The PNLCS application (admin UI, customer portal, REST API, queue workers, scheduled jobs)
- Authentication, RBAC, session and token handling
- Payment gateway integrations (Stripe, PayPal, Bank Transfer, Authorize.Net, etc.)
- Registrar / domain adapters (Enom, Manual, etc.)
- Server adapters (Panelica, cPanel, Plesk, DirectAdmin, Proxmox, Custom)
- Templates and views shipped in the default themes
- Default install / upgrade scripts published from this repository

## What's out of scope

- Vulnerabilities that require **physical access** to the server
- Issues that require **root-equivalent access** the attacker already has
- Defects in third-party packages we depend on (please report those upstream — Laravel, Stripe SDK, etc.)
- **Self-XSS**, missing security headers without a real attack path, clickjacking on non-sensitive pages
- Reports generated by automated scanners with **no demonstrated impact**
- Attacks against demo or sandbox instances run by Panelica
- DDoS, volumetric attacks, social engineering, physical attacks
- Findings in **forks** or **modified** copies — please reproduce against the upstream `main`

## Recognition

We maintain a public hall of fame for researchers who help us. If you'd like to be listed (with a name and optional link), say so in your report. We do not currently run a paid bug bounty programme, but for high-impact findings we may offer:

- Public credit in the security advisory and changelog
- Panelica licence credit
- Project swag

## Safe harbour

We will not pursue legal action against good-faith security researchers who:

- Make a genuine effort to avoid privacy violations, service disruption, and data destruction
- Only interact with systems they own, or have explicit permission to test
- Give us reasonable time to fix the issue before public disclosure
- Do not exploit findings beyond what's necessary to demonstrate the issue

When in doubt, ask first — [security@panelica.com](mailto:security@panelica.com) — and we'll work it out together.

Thanks for helping keep PNLCS and its users safe.