# Responsible disclosure and vulnerability reporting Security is a shared responsibility. If you identify a vulnerability or security concern affecting Glesys, report it so the issue can be addressed. This document describes the reporting process, scope, and what to expect during handling. ## How to report a vulnerability If you discover a potential issue, email with: * A description of the vulnerability * Steps to reproduce it * Technical details or proof of concept * Your contact information Glesys aims to respond within one business day and will provide updates during the investigation and remediation process. ## Scope Reports are accepted for: * Glesys-owned infrastructure, systems, and services * Production services operated directly by Glesys Out of scope: * Customer-owned systems or services * Third-party integrations * Test/staging environments * Common low-impact issues such as missing HTTP headers, SPF/DMARC misconfigurations, or self-XSS ## Responsible research guidelines To ensure a controlled process, researchers should: * Avoid testing production systems without permission * Not access or interact with customer data * Not use denial-of-service methods, social engineering, or physical intrusion * Avoid automated scanning that may impact availability * Act lawfully and in good faith Test environments are not provided, so activity must be conducted with minimal impact. ## Recognition Valid, high-impact reports may be acknowledged privately. In some cases, and depending on severity, a small reward or token of appreciation may be offered. Severity is assessed using industry-standard methods such as CVSS v3.1. Glesys does not operate a public hall of fame or a formal bug bounty program. ## Legal safe harbor If research follows this policy and is conducted in good faith: * Glesys will not pursue legal action * Activity will be treated as authorized under this policy * Glesys will collaborate to resolve the issue This applies only to lawful activity. ## Privacy and data protection Researchers should avoid handling personal data. If personal data is accessed unintentionally: * Stop immediately * Do not copy or distribute the data * Notify Glesys * Delete the data if requested Glesys complies with GDPR and ISO/IEC 27001 and expects adherence to applicable privacy requirements. ## Coordinated disclosure Glesys does not publicly disclose vulnerabilities until a fix is in place and risks have been reviewed. In some cases, coordinated disclosure with the reporting party may be arranged. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.glesys.com/security/security-overview/responsible-disclosure-and-vulnerability-reporting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.