Ctrlk
Sign up

Responsible disclosure and vulnerability reporting

Security is a shared responsibility. If you identify a vulnerability or security concern affecting Glesys, report it so the issue can be addressed. This document describes the reporting process, scope, and what to expect during handling.

How to report a vulnerability

If you discover a potential issue, email [email protected] with:

  • A description of the vulnerability

  • Steps to reproduce it

  • Technical details or proof of concept

  • Your contact information

Glesys aims to respond within one business day and will provide updates during the investigation and remediation process.

Scope

Reports are accepted for:

  • Glesys-owned infrastructure, systems, and services

  • Production services operated directly by Glesys

Out of scope:

  • Customer-owned systems or services

  • Third-party integrations

  • Test/staging environments

  • Common low-impact issues such as missing HTTP headers, SPF/DMARC misconfigurations, or self-XSS

Responsible research guidelines

To ensure a controlled process, researchers should:

  • Avoid testing production systems without permission

  • Not access or interact with customer data

  • Not use denial-of-service methods, social engineering, or physical intrusion

  • Avoid automated scanning that may impact availability

  • Act lawfully and in good faith

Test environments are not provided, so activity must be conducted with minimal impact.

Recognition

Valid, high-impact reports may be acknowledged privately. In some cases, and depending on severity, a small reward or token of appreciation may be offered. Severity is assessed using industry-standard methods such as CVSS v3.1. Glesys does not operate a public hall of fame or a formal bug bounty program.

Legal safe harbor

If research follows this policy and is conducted in good faith:

  • Glesys will not pursue legal action

  • Activity will be treated as authorized under this policy

  • Glesys will collaborate to resolve the issue

This applies only to lawful activity.

Privacy and data protection

Researchers should avoid handling personal data. If personal data is accessed unintentionally:

  • Stop immediately

  • Do not copy or distribute the data

  • Notify Glesys

  • Delete the data if requested

Glesys complies with GDPR and ISO/IEC 27001 and expects adherence to applicable privacy requirements.

Coordinated disclosure

Glesys does not publicly disclose vulnerabilities until a fix is in place and risks have been reviewed. In some cases, coordinated disclosure with the reporting party may be arranged.

PreviousSecurity overviewNextInformation security & compliance

Last updated

Was this helpful?