Responsible Disclosure Policy

We understand the amount of effort and dedication that security work requires. As such, we encourage the responsible disclosure of any vulnerabilities to us and we give credit to those who submit valid vulnerabilities on our website.

Targets

• *.grid.is (please read our focus areas/out of scope rules)

Focus Areas

• Main GRID web application https://grid.is

• GRID API https://api.grid.is

Out of Scope / Additional Information

• Any third party SaaS service we use is out of scope.

• Do not use vulnerabilities to access, modify, harm, or otherwise alter any GRID data or that of its customers.

• Do not exploit vulnerabilities except for purposes of demonstrating it to GRID personnel.

• Please contact us at [email protected] if you are unsure of exploitability and we will work with you to verify it safely.

The following finding types are specifically excluded from the policy:

• Descriptive error messages (e.g. stack traces, application or server errors).

• Login Page / Forgot Password Page account brute force or account lockout not enforced without demonstrating a successful login after a lockout attempt.

• HTTP 404 codes/pages or other HTTP non-200 codes/pages.

• Banner disclosure on common/public services.

• BEAST attack.

• Disclosure of known public files or directories (e.g. robots.txt).

• Clickjacking without an exploitable example (e.g. just reporting a missing X-FRAME-OPTIONS header).

• Self-XSS and issues exploitable only through Self-XSS.

• Cross-Site Request Forgery (CSRF) on forms that are available to anonymous users (e.g. the contact form).

• Logout CSRF.

• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.