Security Disclosure Policy
We take the security of platform.servgrid.net seriously. If you believe you have found a security vulnerability, please report it to us as described below. We appreciate responsible disclosure.
How to Report
Email: security@servgrid.net
Please include:
- Description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any proof-of-concept code or screenshots (if applicable)
- Your name/handle (for acknowledgment, if desired)
Our Commitments
- Acknowledge: We will acknowledge receipt within 48 hours.
- Investigate: We will investigate and aim to validate the report within 7 days.
- Fix: Critical vulnerabilities (CVSS ≥ 9.0) will be patched within 24 hours of validation. High (CVSS ≥ 7.0) within 72 hours.
- Notify: We will notify you when the fix is deployed.
- Credit: With your permission, we will acknowledge your contribution on our acknowledgments page.
Scope
In scope:
- platform.servgrid.net (all subdomains)
- The Service Directory application and its APIs
Out of scope:
- Third-party services (GCP infrastructure, Sentry)
- Denial of service attacks
- Social engineering or phishing of our staff
- Findings from automated scans without accompanying proof of exploitability
Safe Harbour
We will not pursue legal action against researchers who discover and report security vulnerabilities in good faith, provided they:
- Do not access, modify, or delete data belonging to other users
- Do not perform denial of service attacks
- Report the vulnerability to us before public disclosure
- Give us reasonable time to address the issue before disclosure