Security at GACS
We welcome reports of security issues affecting gacs.app. This page explains scope, safe-harbor, and how to reach the security team.
Contact
- Email: security@gacs.app
- Machine-readable: /.well-known/security.txt
- Acknowledgment SLA: within 48 hours · Triage SLA: 5 business days
Scope
In scope
- gacs.app web app and APIs
- Authentication and account flows
- Public dataset endpoints (/api/public/*)
- Scam report submission pipeline
Out of scope
- Third-party providers (Supabase, Cloudflare, Stripe)
- Social engineering against staff or users
- DoS / volumetric testing
- Self-XSS and missing best-practice headers without impact
Safe harbor
Good-faith security research conducted under this policy will not result in legal action from GACS. Please don't access other users' data, don't run destructive tests against production, and give us a reasonable window to ship a fix before public disclosure.
FAQ
How do I report a security vulnerability in gacs.app?
Email security@gacs.app with reproduction steps. We acknowledge within 48 hours and aim to triage within 5 business days. See our machine-readable security.txt at /.well-known/security.txt.
Does GACS run a paid bug bounty?
Not at this time. GACS is a free public-safety platform with no revenue from users. We publicly credit responsible reporters on this page and on /trust.
What is in scope?
Anything served from gacs.app and api.gacs.app — including the web app, public JSON/CSV endpoints, authentication, and the report submission pipeline. Out of scope: third-party services (Supabase, Cloudflare, Stripe), social-engineering, and DoS testing.
Will you take legal action against good-faith researchers?
No. Researchers acting in good faith under this policy will not face legal action from GACS. Don't access other users' data, don't run destructive tests against production, and don't publish details before we've shipped a fix.
Does GACS handle payments or private keys?
No. GACS never takes payments, never executes trades, and never asks users for seed phrases or private keys. Anyone claiming otherwise in our name is impersonating us — please report it.
More about how we operate: methodology · editorial policy · trust.