Coordinated vulnerability disclosure
GrailGuard moves luxury goods, payments, and personal data. We take security seriously and welcome good-faith research from the community.
Quick report: email security@grailguard.io with a PoC and your contact details. We respond within 1 business day and update weekly until the report is closed. PGP key fingerprint published on this page and in our /.well-known/security.txt.
Scope
In-scope assets
grailguard.io(public marketing + booking)*.grailguard.io(admin, courier portal, partner portals, API)api.grailguard.io/v1/*- GrailGuard mobile app (iOS & Android) — reports must include OS version and build
Out of scope
- Third-party services we integrate with (Stripe, Postmark, Twilio, Duffel, Cloudinary) — please report directly to the provider
- DoS / DDoS, volumetric or resource-exhaustion attacks
- Physical attacks against our offices or personnel
- Social engineering of our staff, drivers, or customers
- Self-XSS, clickjacking on pages without authenticated state change, missing security headers without a working exploit chain
- Automated scanner output without a validated finding
Rewards
We do not offer paid bounties at this time, but we do offer recognition and GrailGuard credit. We will review paid bounty once we reach our next funding milestone.
| Severity | What counts | Acknowledgement |
|---|---|---|
| Critical | Remote code execution, SQL injection on production DB, authentication bypass yielding admin access, reading other customers' payment methods or IDs | Hall of Fame + $500 GrailGuard credit (or charitable donation in your name) |
| High | IDOR exposing another customer's bookings or recipients, stored XSS in authenticated dashboards, auth token theft, signed-webhook forgery | Hall of Fame + $250 credit |
| Medium | Reflected XSS in authenticated pages, CSRF on state-changing endpoints, rate-limit bypass on sensitive actions | Hall of Fame + $100 credit |
| Low | Information disclosure, edge-case timing attacks, insecure direct references without privilege escalation | Hall of Fame listing |
Safe harbour
If you follow the rules below, we will not pursue civil or criminal action against you for good-faith research, and we will work with you to defuse any third-party claim (ISP, hosting provider, Stripe, etc.) that may arise.
- Only test accounts you created yourself — do not access any other customer's data
- Stop as soon as you confirm the vulnerability; do not read, copy, alter, or delete data beyond what's required for PoC
- Do not disrupt services for other customers
- Give us reasonable time (minimum 90 days) to remediate before public disclosure
- Do not extort, threaten, or publish the issue prior to disclosure coordination
How to report
Send a report to security@grailguard.io. Please include:
- A brief summary (1-2 sentences)
- Severity estimate
- Step-by-step reproduction with any HTTP requests / responses
- PoC video or screenshots (optional, but helpful)
- Your contact details + preferred public name for the hall of fame
- Whether you'd like credit disclosed publicly or prefer anonymity
Hall of fame
Researchers who have responsibly disclosed vulnerabilities to us. We add new entries with researcher consent.
- Reserved for the first researcher.
Last updated: 2026-04-20.