Pantheon is the professional website platform that gives Drupal and WordPress developers everything they need to build, launch, and run solid websites. We maintain customer privacy, security, and site availability as primary responsibilities of our operation, preferring defense in depth over reactive solutions. We strive to stay abreast of the latest state-of-the-art security developments by working with security researchers. We appreciate the researchers' efforts to help create a more secure Internet.
- Only dashboard.pantheon.io is in scope.
- All other areas/domains are out of scope
- Please do NOT open support tickets
- Submit Proof-Of-Concept videos using supported methods only
When creating an account please use the following syntax for email: email@example.com
In addition to Standard Disclosure Terms, the following guidelines apply:
- Please do not test our capacity or ability to withstand Denial of Service attacks.
- Register for free accounts to test.
- Please test using your own account(s).
- Absolutely no attacks or exploits against accounts not created by you.
- Cross-account access may only attempted between accounts controlled by you.
- No automated off-the-shelf scanners (like Acunetix or the Burp Suite).
- Limit scripted / API tests must be rate limited to 1 request per second.
The following finding types are specifically excluded from the bounty:
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password