Vulnerability Disclosure Policy

How to report a security issue to Parthenius Air, and what to expect in return.

Our commitment

Parthenius Air operates in an environment where the confidentiality of our clients and the integrity of our systems are non-negotiable. We welcome reports from security researchers who identify vulnerabilities in our infrastructure. This policy explains what is in scope, how to report, and the protections extended to researchers who act in good faith.

How to report

Send your report to info@parthenius-air.com. Where possible, encrypt your submission using our PGP key, published at /pgp-key.txt.

A useful report includes:

• A clear description of the vulnerability and its potential impact
• Steps to reproduce, including URLs, payloads, or requests
• Any proof-of-concept material (screenshots, logs, scripts)
• Your name or handle, if you would like to be credited

Scope

The following systems are in scope for this policy:

• parthenius-air.com and its subdomains
• Public-facing infrastructure operated by Parthenius Air (Pty) Ltd

The following are explicitly out of scope:

• Client operational environments, deployed Zerathis systems, or any field infrastructure
• Third-party services we integrate with (report these to the vendor directly)
• Social engineering of our staff, contractors, or clients
• Physical attacks against our offices or personnel
• Denial-of-service testing, volumetric attacks, or resource exhaustion
• Findings from automated scanners without demonstrated exploitability
• Missing security headers, cookie flags, or other low-severity configuration notes without a concrete attack path

Rules of engagement

To remain within the protection of this policy, researchers agree to:

• Test only against systems listed as in scope
• Avoid privacy violations, data destruction, or service degradation
• Stop testing and report immediately if personal data is encountered, and not retain, copy, or disclose such data
• Not publicly disclose the vulnerability before we have had reasonable opportunity to remediate (see timelines below)
• Not demand payment as a condition of disclosure

Our response

When you submit a report in line with this policy, we commit to:

• Acknowledge receipt within 3 business days
• Provide an initial assessment within 10 business days
• Keep you informed of remediation progress at reasonable intervals
• Credit you publicly where you wish to be credited, once the issue is resolved
• Not pursue legal action against researchers acting in good faith within the terms of this policy

We aim to remediate high-severity issues within 30 days and lower-severity issues within 90 days. Coordinated public disclosure is welcome after remediation.

Safe harbour

Parthenius Air considers security research conducted in accordance with this policy to be authorised access for the purposes of the Cybercrimes Act 19 of 2020 and related legislation. We will not initiate legal action against researchers for activities that fall within the scope and rules of engagement set out above. If a third party brings legal action against you for research conducted in good faith under this policy, we will take reasonable steps to make clear that your actions were authorised.

This safe harbour does not extend to activity that violates South African law, breaches the rights of third parties, or falls outside the scope of this policy.

Personal information

Reports you submit may contain personal information about you or others. We process this information in accordance with the Protection of Personal Information Act 4 of 2013 (POPIA) and our Privacy Policy, solely for the purpose of investigating and remediating the reported issue.

Bounty

Parthenius Air does not currently operate a paid bug bounty programme. We recognise meaningful contributions through public acknowledgement and direct correspondence. This may change in future; any such programme will be announced on this page.

Contact

Primary: info@parthenius-air.com
Machine-readable policy: /.well-known/security.txt