============================================================ VULNERABILITY DISCLOSURE POLICY ============================================================ The purpose of this policy is to outline the guidelines for security researchers who discover potential security vulnerabilities in our products. The goal is to present how GR8 Tech can collaborate with security researchers to improve its security. ------------------------------------------------------------ REPORTING A VULNERABILITY ------------------------------------------------------------ To report a security vulnerability, contact us: disclosure@gr8.tech We also support encryption: https://gr8.tech/.well-known/pgp-key.txt Scope: * https://gr8.tech/ ------------------------------------------------------------ EXAMPLES OF IN-SCOPE VULNERABILITIES ------------------------------------------------------------ Vulnerabilities which are accepted, but not limited to: * Injection Attacks (e.g. SQL, Command Injection) * Cross-Site Scripting (XSS) - Reflected, Stored, Dom-based * Remote Code Execution (RCE) * IDOR/BOLA * Information Disclosure - exposure of only sensitive information (e.g. personal data, internal system details) * Local File Inclusion / Remote File Inclusion * Exposed Credentials * Authorization Bypass / Privilege Escalation * Open Redirect - only if they pose a security or privacy risk ------------------------------------------------------------ EXAMPLES OF OUT-OF-SCOPE VULNERABILITIES ------------------------------------------------------------ The following categories of issues are considered out of scope for our security program: * Lack of Secure / HttpOnly cookie flags * Incorrect or missing SPF, DKIM, or DMARC - email spoofing * Missing or misconfigured HTTP headers - without proven impact on security * DoS attacks * Rate-limiting or brute-force attacks * Social engineering or phishing attempts * Lack of CAPTCHA * Insecure TLS/SSL settings without demonstrated impact * Self-XSS, where exploitation requires the user to manually paste malicious code into the browser console ------------------------------------------------------------ SECURITY REPORT REQUIREMENTS ------------------------------------------------------------ Please include the following where applicable: * Step-by-step reproduction instructions - it will help us speed up the process of verification * Affected projects * Environment details, such as browser name and version (especially for XSS) * Any other supporting documentation that may assist in verifying and reproducing the issue ------------------------------------------------------------ OUR RESPONSE TIMEFRAMES ------------------------------------------------------------ * Initial response: within 3 business days of receiving the report * Triage completion: within 10 business days of submission ------------------------------------------------------------ RESPONSIBLE RESEARCHER GUIDELINES ------------------------------------------------------------ By taking part in our vulnerability disclosure program, you agree to act responsibly and in good faith. It means: * You will not compromise our users' privacy, manipulate any data, or disrupt our service availability * Your report will describe vulnerability found in our systems, be clearly written and reproducible, and you will provide further details upon request * You won't use our sensitive information for testing purposes * Sharing vulnerability details with third parties outside GR8 Tech company is forbidden * While we do not provide compensation upon request, we may issue rewards for original, critical/high impact reports submitted in good faith