GACS Logo
Security · v1.0

Responsible Disclosure

Scope, safe-harbour, SLAs and recognition for good-faith security researchers.

1. Scope

In-scope: gacs.app and its subdomains, the /api/public/* surface, the Lovable-hosted backend that powers GACS, and our official browser extension. Out-of-scope: third-party services we integrate with (their vendors run their own programs), automated scanner output without proof of exploitability, social-engineering of GACS staff, denial-of-service, physical attacks, and findings on disposable preview URLs.

2. What we want to hear about

  • Authentication or authorisation bypass.
  • Row-level-security or RPC bypass that leaks PII or admin-only data.
  • Stored or reflected XSS, SSRF, RCE, SQLi.
  • Privilege escalation against admin routes (already noindex'd).
  • Insecure direct object reference on user submissions or certificates.
  • Webhook signature bypass on /api/public/hooks/*.
  • Anything that would let an attacker silently de-list a scam or fake a verified certificate.

3. How to report

Email security@gacs.app with a clear PoC. PGP available on request. Please do not open public GitHub issues for security findings, do not post on social media before we have responded, and do not access more data than is necessary to demonstrate the issue.

4. Response SLAs

  • Acknowledgement within 2 business days.
  • Triage and severity assessment within 5 business days.
  • Fix targets: critical 7 days, high 14 days, medium 30 days, low 90 days.
  • Coordinated public disclosure once the fix is shipped, with credit to the reporter unless they prefer anonymity.

5. Recognition

GACS is an independent public-good project; we do not currently run a paid bounty. We do offer public credit on a hall-of-fame page, a verified researcher badge, and a free top-tier Academy certification (CFPS / CBI / OIA / MICA) for high-impact valid findings.

6. Safe harbour

GACS will not pursue civil action or report you to law enforcement for good-faith security research that complies with this policy — even if you incidentally access data you should not have. You must stop immediately, report the issue, and delete any data you accessed.

Related