Report a vulnerability
If you believe you have found a security vulnerability in Sentinel — the agent, the cloud API, the dashboard, the pairing flow, or any other surface — please email hello@sentinelapp.solar with subject line beginning "SECURITY:".
Include enough detail for us to reproduce — affected version, steps to reproduce, expected vs actual behaviour, and what you believe the impact is. PGP-encrypted reports welcome on request.
What we promise
- Acknowledgement within 2 business days.
- Initial assessment within 5 business days.
- Coordinated disclosure timeline agreed in writing.
- No legal action against good-faith reporters who follow this policy.
- Public credit (with your permission) once a fix has shipped.
Scope
In scope: sentinelapp.solar, the Sentinel agent (all distribution channels), the Cloudflare Worker / Durable Object infrastructure, the pairing flow, and any official Sentinel mobile or desktop client.
Out of scope: social engineering, physical attacks, denial-of-service tests against production infrastructure, attacks against third-party services (Stripe, Cloudflare, etc.) that we depend on.
Safe-harbour
If you make a good-faith effort to comply with this policy during your research, we will consider your research authorised, work with you to understand and resolve the issue quickly, and not pursue legal action against you. If a third party (e.g. law enforcement) initiates action while you are complying with this policy, we will make our position clear.
Last updated 21 May 2026.