Skip to content
grantlock
Download

Vulnerability disclosure policy

We want to hear about security problems in GrantLock. This page explains how to report a vulnerability, what we promise in return, and the boundaries that keep good-faith research safe. It is written plainly and we mean what it says — we do not commit to numbers we cannot reliably honor as a small team.

Last reviewed:

How to report

Email security@grantlock.ai with the subject prefix [SECURITY]. Please include enough detail for us to reproduce the issue: the affected surface or version, clear steps, and any proof-of-concept. The machine- readable contact for this policy is published at /.well-known/security.txt per RFC 9116.

We do not currently publish a PGP encryption key. If you need to share especially sensitive details before we can establish an encrypted channel, say so in your first message and we will arrange one.

Good-faith safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider it authorized conduct. We will not pursue or support legal action against you, and we will not report you to law enforcement, for security research that:

  • Stays within the scope described below.
  • Avoids privacy violations, data destruction, and degradation of our services or other users' experience.
  • Uses the minimum interaction needed to confirm a finding, and stops once a vulnerability is demonstrated.
  • Gives us a reasonable opportunity to fix the issue before any public disclosure.

If legal action is initiated by a third party against you for activity conducted in accordance with this policy, we will make it known that your actions were authorized. This is not a waiver of any rights of third parties who are not party to this policy.

Scope

In scope:

  • grantlock.ai and www.grantlock.ai (this marketing site).
  • app.grantlock.ai (the Cloud product) and update.grantlock.ai.
  • The open-source GrantLock scanner published at github.com/grantlock-ai/grantlock, and the signed Free-Binary distribution.

Out of scope:

  • Findings that require physical access to a victim's device, social engineering of our staff, or denial-of-service / volumetric testing.
  • Reports from automated scanners with no demonstrated, exploitable impact (e.g. a missing header with no concrete attack path).
  • Third-party services we depend on but do not operate (Cloudflare, Neon, Clerk, and other subprocessors) — report those to the respective vendor. Our subprocessors are listed for reference.

What to expect

We acknowledge reports promptly and keep you updated as we triage, confirm, and fix. We coordinate disclosure responsibly and will agree a timeline with you rather than impose one. We are a small team and do not commit to a fixed numeric acknowledgement or remediation SLA we cannot reliably meet — when we have a documented, tested incident-response process, we will publish those timelines here.

With your permission, we are glad to credit you once a fix has shipped.

Rewards

We do not currently run a paid bug bounty program, and submitting a report does not create any expectation of payment. Reports are welcome regardless. If we launch a bounty in the future, we will announce it on this page — we will not imply one that does not exist.

Related: Security · security.txt · Status · Contact