Responsible disclosure
Found a vulnerability in grith? Here's how to report it.
If you've found a security vulnerability in grith, please report it privately rather than opening a public issue. We take security reports seriously and acknowledge every report.
How to report
Email security@grith.ai with:
- A description of the issue.
- Steps to reproduce (a working exploit is helpful but not required).
- Your assessment of impact.
- Whether you'd like to be credited in the advisory.
For sensitive details, you can encrypt to our PGP key: grith.ai/security.asc.
What you can expect
| When | What |
|---|---|
| Within 24h | Acknowledgement that we've received the report. |
| Within 5 business days | Initial triage — confirmed/duplicate/needs-info. |
| Per the fix complexity | Patch development, often with you in the loop. |
| Within 90 days | Public disclosure if a fix has shipped (or sooner if you prefer). |
We coordinate disclosure timing with you. A CVE is filed for confirmed vulnerabilities that warrant one.
Scope
In scope:
- The grith binary itself.
- The dashboard (grith.ai/dashboard, self-hosted dashboard).
- The Pro and Enterprise services (license refresh, sync, analytics).
- The grith-docs site (only for issues that affect user safety, e.g. link-redirect attacks).
Out of scope:
- Reports on the public grith.ai marketing site that don't involve user data or auth.
- Reports on third-party integrations (Slack, Telegram, etc.) — report those to the relevant vendor.
- Self-XSS, theoretical issues without working PoC, missing best-practice headers on non-auth pages.
Bug bounty
We don't currently run a paid bug bounty. We do:
- Credit you in the advisory (if you want — anonymous is fine too).
- Send swag / a thank-you for confirmed reports.
- For high-severity (CVSS ≥ 7) issues, consider a discretionary reward.
What not to do
Please don't:
- Test against grith.ai infrastructure beyond the minimum needed to verify a finding.
- Test against other people's grith installs without their explicit authorisation.
- Publicly disclose the finding before we've had a chance to ship a fix.
Acknowledgements
The published list of security researchers who've reported confirmed issues is at grith.ai/security/acknowledgements.
See also
- Advisories — past CVEs and fixes.
- Threat model
- security.txt — RFC 9116 contact file.
Last updated: 2026-05-14Edit this page on GitHub →