Supported Versions
If you are running a version not listed above, please upgrade before reporting.
Reporting a Vulnerability
Send a report to security@grantex.dev with:- A clear description of the vulnerability and its potential impact
- The affected component(s):
auth-service,sdk-ts,sdk-py,cli, orSPEC.md - Steps to reproduce or a minimal proof-of-concept
- Any suggested mitigations you have identified
security@grantex.dev with the subject PGP key request and verify the returned fingerprint through the same address. No public PGP-key URL is currently published.
Response SLA
Coordinated Disclosure
- Reporter submits vulnerability to
security@grantex.dev - Triage, reproduce, and confirm within 7 business days
- Develop and test a fix, keeping the reporter in the loop
- Publish a patched release and a CVE (if applicable)
- Reporter is credited (or anonymously, at their choice) in release notes
- Reporter may publish their write-up 30 days after the patch ships
Scope
In scope
Out of scope
- Vulnerabilities in third-party dependencies (report upstream; let us know so we can track)
- Physical access attacks
- Social engineering
- Denial-of-service attacks against hosted infrastructure
- Findings requiring existing admin credentials with no privilege escalation
- Automated scanner output without evidence of exploitability