Vulnerability Disclosure

Last Updated: 29 August 2025

1. Philosophy

We appreciate responsible security research and welcome vulnerability reports that help protect our users and partners.

2. Safe Harbor

We will not initiate legal action for good-faith research that:

• Avoids privacy violations, service disruption, and data destruction.
• Accesses only the minimum data necessary to demonstrate a vulnerability.
• Respects the rules below and reports swiftly.

3. In Scope

• gmodprotect.org web properties.
• Public API and client addon artifacts.

4. Out of Scope

• Social engineering, physical attacks, spam/DM abuse.
• Denial-of-service or volumetric testing.
• Vulnerabilities in third-party services not under our control.
• CSAM handling/reporting flows (report such content immediately to the appropriate national authority).

5. Rules of Engagement

• Do not exfiltrate, modify, or retain data beyond proof-of-concept.
• Do not access other users’ personal data.
• Provide a clear, reproducible report with impact assessment.

6. Reporting

Send reports to: security@gmodprotect.org.

Include steps to reproduce, affected endpoints, and any logs or screenshots.

7. Recognition

We do not offer monetary bounties at this time. We are happy to publicly acknowledge contributors where appropriate.

8. Response Targets

• Triage acknowledgement: within 3 business days.
• Initial assessment: within 5 business days.
• Remediation timeline depends on severity and complexity.