Skip to main content

Supported Versions

If you are running a version not listed above, please upgrade before reporting.

Reporting a Vulnerability

Do not open a public GitHub issue for security vulnerabilities.
Send a report to security@grantex.dev with:
  • A clear description of the vulnerability and its potential impact
  • The affected component(s): auth-service, sdk-ts, sdk-py, cli, or SPEC.md
  • Steps to reproduce or a minimal proof-of-concept
  • Any suggested mitigations you have identified
For encrypted reporting, email security@grantex.dev with the subject PGP key request and verify the returned fingerprint through the same address. No public PGP-key URL is currently published.

Response SLA

Coordinated Disclosure

  1. Reporter submits vulnerability to security@grantex.dev
  2. Triage, reproduce, and confirm within 7 business days
  3. Develop and test a fix, keeping the reporter in the loop
  4. Publish a patched release and a CVE (if applicable)
  5. Reporter is credited (or anonymously, at their choice) in release notes
  6. Reporter may publish their write-up 30 days after the patch ships

Scope

In scope

Out of scope

  • Vulnerabilities in third-party dependencies (report upstream; let us know so we can track)
  • Physical access attacks
  • Social engineering
  • Denial-of-service attacks against hosted infrastructure
  • Findings requiring existing admin credentials with no privilege escalation
  • Automated scanner output without evidence of exploitability

Bug Bounty

We do not currently operate a formal bug bounty programme. With the researcher’s permission, impactful reports may be recognized in release notes. No separate public Hall of Thanks page is currently published.
Last modified on July 11, 2026