Responsible Disclosure Policy

Last updated: 2026

PMAP is Privia Security’s enterprise vulnerability management platform and multi-vendor scan orchestrator, developed by Privia Security Ltd as a platform that security teams rely on. We welcome reports from security researchers who help us keep PMAP and pmap.io safe. This Responsible Disclosure Policy explains how to report a vulnerability to us and what you can expect in return.

Our commitment

We commit to taking reasonable technical and administrative measures to protect our systems and the personal data we hold, to investigating reports promptly, and to working with researchers in good faith. We will not pursue legal action against researchers who follow this policy and act in good faith.

How to report a vulnerability

Please send your report to [email protected]. Include enough detail for us to reproduce and validate the issue, such as:

  • the affected URL, endpoint or component;
  • a clear description of the vulnerability and its potential impact;
  • the steps required to reproduce it, including any proof-of-concept; and
  • any relevant logs, requests or screenshots.

Guidelines for researchers

  • Give us a reasonable time to investigate and remediate before any public disclosure.
  • Do not access, modify or delete data that does not belong to you, and do not degrade the availability of our services.
  • Only test against systems that clearly belong to PMAP or Privia Security Ltd.
  • Do not use social engineering, physical attacks, or denial-of-service techniques.

Out of scope

Reports that describe theoretical issues without a demonstrated security impact, missing best-practice hardening on systems with no exploitable consequence, automated scanner output without validation, and findings on third-party services we do not operate are generally out of scope.

What to expect

We will acknowledge your report, keep you informed as we investigate, and let you know when the issue is resolved. We are grateful for every good-faith report that helps us protect our customers.

Contact

Security reports: [email protected]. General enquiries: our contact page.