Security

Vulnerability Disclosure

This page explains how to report suspected security issues. It is not a bug bounty program, safe-harbor agreement, or formal SLA.

Report Contact

Send security reports to security@gpcguard.app. For account or billing issues that are not security vulnerabilities, use support@gpcguard.app.

What To Include

  • Affected domain, route, endpoint, or account surface.
  • Steps to reproduce using a non-destructive proof of concept.
  • Observed impact and whether tenant data, tokens, or decision records may be exposed.
  • Any relevant request IDs, timestamps, or screenshots with secrets redacted.

Scope Guidance

  • Do not access, modify, delete, or exfiltrate data that does not belong to your account.
  • Do not run denial-of-service tests, spam tests, or high-volume scans against production systems.
  • Use synthetic accounts and synthetic data when possible.
  • Redact secrets, personal data, API keys, and session tokens from reports.

Current Limitations

GPCGuard does not currently publish a paid bounty, formal response-time SLA, SOC 2 report, ISO certification, or independent penetration-test attestation. Security reports are triaged based on potential customer-data exposure, auth bypass risk, tenant-isolation impact, and availability impact.