Coordinated Vulnerability Disclosure (CVD)

Introduction

Found a vulnerability? Please report it immediately. We will assess and remediate it as quickly and carefully as possible.

This is not an invitation to perform extensive scanning or testing; we handle that ourselves.

What we ask

• Email as soon as possible to info@grcguard.com with enough detail to reproduce (URL/IP, description, steps/PoC, impact, your contact details).
• Do not abuse: no (D)DoS, brute-force, social engineering or malware. Do not alter/delete data or exfiltrate personal data.
• Do not disclose publicly until a fix/mitigation is available.

What we promise

• Acknowledgement within 3 business days, with an initial assessment and next steps.
• Transparent updates and a reasonable remediation timeline based on severity.
• Safe harbor: if you act in good faith under this policy, we will not pursue legal action.
• Recognition (on request) after resolution; we do not pay cash rewards at this time.

Out of scope (short)

• Scanner-only reports without analysis.
• Informational header/banner leaks.
• Low-risk best-practice notes.
• Issues on systems we don’t control.