Responsible Disclosure

Security

Found a security issue? Please report it to us before sharing it publicly. This page is the authoritative version of what we promise in return, what is in scope, and what is not. Machine-readable mirror at /.well-known/security.txt.

How to report

Email security@grid.systems. Please do not open a public GitHub issue, social-media thread, or blog post until the fix is shipped and we've coordinated disclosure with you. If you need PGP, ask and we'll publish a key.

Include: one-line summary, reproduction steps, a proof-of-concept where possible, and the GRID environment you used (local / staging / production). If you found the issue by mistake, that's fine — we'd rather hear about it than not.

Our response SLA

  • Initial acknowledgement: 48 hours
  • Severity classification + initial triage: 7 days
  • Fix for Critical / High (CVSS ≥ 7): 14 days
  • Fix for Medium / Low: 60 days
  • Public disclosure window after fix: 30 days (coordinated)

In scope

  • The production host grddd.com and all its subdomains
  • Staging environments if you have been explicitly invited
  • The authenticated API under /api/*
  • Authentication flows: sign-in, sign-up, OAuth, password reset
  • Cross-tenant isolation (can user A see user B's data?)
  • Anthropic BYOK key handling and storage
  • Integration OAuth token handling
  • Webhook receivers at /api/webhooks/*

Out of scope

  • Denial-of-service attacks — don't. We'll rate-limit you into a block list
  • Social-engineering the founder or any team member
  • Physical attacks on infrastructure
  • Spam or bulk account creation beyond normal rate limits
  • Issues that require running as an already-root user on your own device (e.g. "I can read my own cookies")
  • Missing security headers on error pages or static assets where we've documented the exception
  • Content on third-party subprocessors (report those to the subprocessor directly)

Safe harbor

If you make a good-faith attempt to follow this policy, we will not pursue civil or criminal legal action against you for the testing activity. Good faith means: you stayed within the scope above, you did not access or destroy other users' data, you reported promptly, and you gave us a reasonable window before disclosing publicly.

Recognition

We maintain a researcher hall of fame at /changelog. Every valid report gets named (or anonymised, your preference) in the release notes that ship the fix. Monetary bounties are not yet offered — when a formal program launches it will be published here.

Last updated: 2026-04-19 · See also subprocessors, Privacy, Terms.