PNLCS handles billing, customer credentials, payment integrations and reseller workflows for real hosting businesses. A security defect here can affect invoices, customer data and payment flows — we take that seriously.

If you find something, we want to hear about it.

The current release is shown in the PNLCS admin footer and on the Releases page.

Do not open a public GitHub issue, discussion, or forum thread for security findings.

Email: security@panelica.com

Please include:

• A clear description of the issue
• The affected component (admin UI, customer portal, API endpoint, payment gateway, registrar adapter, server module, etc.)
• Steps to reproduce — minimal proof-of-concept is ideal
• Impact assessment (what an attacker can achieve, who is affected)
• Your PNLCS version, Laravel version, PHP version, MySQL version
• Any logs, screenshots, or scripts that help us reproduce
• Whether you'd like to be credited (and how)

If your finding includes sensitive data (credentials, tokens, customer info, payment details) please redact it before sending. We can provide a PGP key on request.

If email is impractical, you may use GitHub's private vulnerability reporting on this repository.

We follow coordinated disclosure: we'd like to ship a fix and notify operators before details become public. If you have a hard deadline (conference talk, blog post, regulatory requirement), tell us and we'll work to meet it.

• The PNLCS application (admin UI, customer portal, REST API, queue workers, scheduled jobs)
• Authentication, RBAC, session and token handling
• Payment gateway integrations (Stripe, PayPal, Bank Transfer, Authorize.Net, etc.)
• Registrar / domain adapters (Enom, Manual, etc.)
• Server adapters (Panelica, cPanel, Plesk, DirectAdmin, Proxmox, Custom)
• Templates and views shipped in the default themes
• Default install / upgrade scripts published from this repository

• Vulnerabilities that require physical access to the server
• Issues that require root-equivalent access the attacker already has
• Defects in third-party packages we depend on (please report those upstream — Laravel, Stripe SDK, etc.)
• Self-XSS, missing security headers without a real attack path, clickjacking on non-sensitive pages
• Reports generated by automated scanners with no demonstrated impact
• Attacks against demo or sandbox instances run by Panelica
• DDoS, volumetric attacks, social engineering, physical attacks
• Findings in forks or modified copies — please reproduce against the upstream main

We maintain a public hall of fame for researchers who help us. If you'd like to be listed (with a name and optional link), say so in your report. We do not currently run a paid bug bounty programme, but for high-impact findings we may offer:

• Public credit in the security advisory and changelog
• Panelica licence credit
• Project swag

We will not pursue legal action against good-faith security researchers who:

• Make a genuine effort to avoid privacy violations, service disruption, and data destruction
• Only interact with systems they own, or have explicit permission to test
• Give us reasonable time to fix the issue before public disclosure
• Do not exploit findings beyond what's necessary to demonstrate the issue

When in doubt, ask first — security@panelica.com — and we'll work it out together.

Thanks for helping keep PNLCS and its users safe.