How to reach us
Send an encrypted email to security@petanque.life using the PGP key published at /security/pgp-key.asc. If encrypted email is not possible, use the contact form on petanque.life/security and we will respond from a verifiable address.
In scope
- petanque.life and any *.petanque.life subdomain hosted by Petanque Life
- The mobile applications "Petanque Life" and "Petanque Life Admin" published under the Esi System AB developer account
- The public REST API at api.petanque.life
- Tenant CMS sites at *.web.petanque.life
Out of scope
- Self-hosted federation deployments not operated by Petanque Life
- Reports that require physical access to a user device
- Volumetric denial-of-service tests
- Findings limited to outdated browsers, missing best-practice headers without exploit, or social-engineering of staff
- Third-party services we integrate with — please report those upstream
What to include
- A clear description of the issue and impact
- Reproduction steps, requests, and any minimal proof-of-concept
- Affected URL, build, or commit hash if known
- Whether you would like to be credited in the hall of fame
Our response commitment
- Acknowledgement within 3 business days
- Triage decision within 10 business days
- Status updates at least every 14 days until resolution
- Public disclosure coordinated with the reporter, typically once a fix is deployed
Safe harbour
Good-faith research that follows this policy will not be pursued legally. Do not access or modify data that is not your own, do not exfiltrate data, and stop testing as soon as the vulnerability is confirmed.
Legal
This policy does not waive criminal liability for actions taken outside its scope, and does not authorise testing against third-party providers. Report only against systems you are authorised to test under this policy.
Hall of fame
We publicly thank researchers who submit valid reports. The hall of fame lives at /security/hall-of-fame.