1. Reporting
Email security@panzoe.ai with a description, reproduction steps and impact. We acknowledge reports within 3 business days and keep you informed as we investigate and fix.
2. Safe harbour
We will not pursue legal action for good-faith research that respects this policy: don't access other users' data beyond a minimal proof of concept, don't degrade the service, don't exfiltrate or retain data, and give us reasonable time to fix before public disclosure.
3. In scope / out of scope
In scope: the Panzoe web application and API. Out of scope: denial-of-service, social engineering of staff or users, physical attacks, spam, and issues in third-party services (report those to the respective vendor).
4. Recognition
We don't operate a paid bounty programme yet, but we gratefully credit researchers (with permission) once an issue is resolved.