Vulnerability Disclosure Policy

Version 1.0 | Last Updated: 22 April 2026 | Effective Date: 22 April 2026

Short version. We welcome good-faith reports of security vulnerabilities in SocialGryd services. Email security@socialgryd.com (PGP encouraged). We acknowledge within 72 hours and commit to safe-harbour protection for researchers who follow this policy.

1. Scope

socialgryd.com and all subdomains
SocialGryd iOS app (App Store) and Android app (Google Play)
SocialGryd Flutter Web app at socialgryd.com/app.html
Partner portal at portal.socialgryd.com
Public APIs and Cloud Functions endpoints
Firebase infrastructure under our control (security rules, Cloud Functions code; not Google Cloud platform-level vulnerabilities, which should go to Google)

2. Out of scope

Social-engineering of SocialGryd staff or members
Physical attacks against SocialGryd facilities
Denial-of-service testing against production systems
Automated scanning that generates significant load (please coordinate first)
Spam / abuse reports unrelated to a security defect
Issues in third-party services we use (Google, Apple, Anthropic, Stripe, etc.) — report to the provider
Missing best-practice configurations without a demonstrable exploit (for example, missing HSTS preload) — we will fix but cannot bounty
Self-XSS, clickjacking on pages without sensitive actions, email-spoofing without DMARC p=reject relevance, or other low-impact findings

3. How to report

Email security@socialgryd.com. Please include:

Clear description of the vulnerability and affected component.
Minimal steps to reproduce.
Proof of concept (screenshots or video welcome; no destructive actions against real user data).
Impact assessment (what can an attacker do?).
Your contact details (anonymous reports accepted but we cannot acknowledge or reward).

PGP key for encrypted submissions: fingerprint and public block published at /.well-known/security.txt.

4. security.txt

We publish an RFC 9116 security.txt at /.well-known/security.txt:

Contact: mailto:security@socialgryd.com
Expires: 2027-04-22T00:00:00.000Z
Encryption: https://socialgryd.com/.well-known/pgp.asc
Preferred-Languages: en
Canonical: https://socialgryd.com/.well-known/security.txt
Policy: https://socialgryd.com/vulnerability-disclosure

5. Safe harbour

If you make a good-faith effort to comply with this policy during your security research, we commit to:

not initiating or supporting legal action against you for your research — including under the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), the Penal Code §217⁴ (Estonia), Directive 2013/40/EU (EU), or similar laws;
not initiating or supporting claims for circumvention of technological protection measures under the DMCA §1201 or Article 6 of Directive 2001/29/EC; and
working with you to understand and quickly resolve the issue.

To qualify for safe harbour, your research must:

Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Use only the accounts you own or have explicit written permission to test.
Stop testing and notify us on first observation of any user data other than your own.
Keep confidential the vulnerability details until we have had a reasonable opportunity to fix (typically 90 days; negotiable).
Not engage in extortion or demand compensation in exchange for non-disclosure.

6. Response timeline

Acknowledgement: within 72 hours (usually faster).
Triage outcome: within 7 days.
Remediation target: 30 days for high-severity, 90 days for medium, best-effort for low.
Public credit (with your consent) after remediation and any coordinated disclosure window has passed.

7. Rewards

We do not currently run a paid bug-bounty programme. We will acknowledge significant contributions in a Hall of Fame once production traffic is live, and we intend to launch a formal programme on HackerOne or Bugcrowd within 90 days of public launch. Researchers who substantively contribute to our security pre-launch will be invited to the private-beta programme when it opens.

8. Coordinated disclosure with third parties

If your report implicates a third-party service (Anthropic, Amplitude, Google Cloud, Stripe, Resend, Svix, Shorebird, etc.), we coordinate disclosure with that party under their disclosure policy. Please allow us to lead the coordination unless the third party has its own direct channel that you prefer.

9. Reporting via CERT or national CSIRT

If you prefer to report through a national CSIRT, we accept reports routed via CERT-EE (Estonia), the UK NCSC, CISA (US), or any CERT operating under the CSIRTs Network (EU Directive 2016/1148). Please CC security@socialgryd.com.

10. Questions

security@socialgryd.com.