Security
Security Policy
Last updated: March 2026 · Responsible Disclosure Framework
Our Commitment
Security is the foundation of everything we do at SentryTrace. We are committed to operating responsibly, protecting the organizations we work with, and maintaining the highest standards of ethical conduct in all security research activities.
This page outlines our security practices, responsible disclosure program, and how to contact us regarding security concerns.
Reconnaissance Methodology
SentryTrace operates exclusively within the boundaries of publicly accessible data and infrastructure. Our methodology is designed to mirror real-world attacker reconnaissance while remaining fully within legal and ethical boundaries:
- All scans target only publicly resolvable domains and IP addresses
- We do not exploit vulnerabilities — we identify and report them
- No authentication bypass, credential stuffing or intrusive testing is performed without explicit written authorization
- Scan activity is rate-limited to avoid disrupting target infrastructure
- Findings are delivered exclusively to authorized organizational contacts
Legal framework: Our external recon activities are conducted in compliance with applicable laws including the Computer Fraud and Abuse Act (CFAA) and equivalent legislation. We operate on a strictly passive + non-intrusive basis unless a formal penetration testing agreement is in place.
Data Handling & Report Security
Security assessment results are sensitive by nature. We apply the following controls to all report data:
- Reports are transmitted exclusively over TLS-encrypted channels
- Access to scan results is restricted to authorized personnel on a need-to-know basis
- All data is retained for a maximum of 90 days post-delivery, then permanently purged
- We do not store copies of client credentials, internal data, or sensitive findings beyond the delivery period
Responsible Disclosure Program
If you discover a vulnerability in SentryTrace's own infrastructure, website, or services, we encourage responsible disclosure. We commit to:
- Acknowledging your report within 48 hours
- Providing a status update within 7 days
- Working to remediate validated findings within 30 days
- Crediting researchers who report valid vulnerabilities (if desired)
- Not pursuing legal action against good-faith security researchers
To report a vulnerability in SentryTrace systems, contact
security@sentrytrace.com with a clear description of the issue, steps to reproduce, and your contact information. Please do not publicly disclose vulnerabilities before we have had the opportunity to remediate them.
Scope — What We Ask You Not To Do
When testing or researching SentryTrace, please avoid:
- Automated scanning at high volumes that may impact service availability
- Accessing or modifying data belonging to other clients
- Social engineering attacks against our team or clients
- Physical security attacks
- Publicly disclosing findings before coordinated disclosure is complete