Skip to main content
This page covers how to report a security finding, what we treat as in-scope, and the response timelines you can hold us to. The canonical machine-readable policy is served at https://gavai.io/.well-known/security.txt in RFC 9116 format; this page mirrors it in human-readable form.

SLAs at a glance

How to report

In scope — what we want

Not actionable

These categories aren’t dismissed as a class — they’re not actionable as vulnerability reports without a demonstrated exploit path.

Out of scope

Tenant-app-level vulnerabilities owned by the tenant operator — for example, SQL injection in a tenant’s own Postgres schema, or a misconfigured form in a tenant’s app — are the responsibility of the tenant operator, not gavAI. Report those directly to the operator. If such a report reaches us in error, we forward it to the relevant workspace owner.

Acknowledgments

Researchers who report valid in-scope findings are listed at https://gavai.io/legal/transparency. Listing is opt-in — tell us in your report if you prefer to remain anonymous.

Canonical sources