> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gavai.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Reporting vulnerabilities

> Coordinated disclosure: how to report, what we want, what's out of scope, and the response SLAs you can hold us to.

export const Def = ({term, type, defaultValue, required, children}) => <>
    <dt className="gv-def-list__term">
      <span className="gv-def-list__name">{term}</span>
      {type && <span className="gv-def-list__type">{type}</span>}
      {required && <span className="gv-def-list__required">required</span>}
      {defaultValue !== undefined && <span className="gv-def-list__default">
          default <code>{defaultValue}</code>
        </span>}
    </dt>
    <dd className="gv-def-list__description">{children}</dd>
  </>;

export const DefList = ({children}) => <dl className="gv-def-list">{children}</dl>;

export const CTABanner = ({eyebrow, headline, subhead, ctaLabel, ctaHref, secondaryCtaLabel, secondaryCtaHref}) => <section className="gv-cta">
    <div className="gv-cta__copy">
      {eyebrow && <Eyebrow label={eyebrow} />}
      <h2 className="gv-cta__headline">{headline}</h2>
      {subhead && <p className="gv-cta__subhead">{subhead}</p>}
    </div>
    <div className="gv-cta__actions">
      {ctaLabel && ctaHref && <a className="gv-cta__button" href={ctaHref}>
          {ctaLabel}
        </a>}
      {secondaryCtaLabel && secondaryCtaHref && <a className="gv-cta__secondary" href={secondaryCtaHref}>
          {secondaryCtaLabel}
          <svg viewBox="0 0 24 24" width="12" height="12" fill="none" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" aria-hidden="true">
            <line x1="7" y1="17" x2="17" y2="7" />
            <polyline points="7 7 17 7 17 17" />
          </svg>
        </a>}
    </div>
  </section>;

export const ArrowItem = ({children}) => <li className="gv-arrow-item">
    <span className="gv-arrow-item__arrow" aria-hidden="true">{"↳︎"}</span>
    <span className="gv-arrow-item__content">{children}</span>
  </li>;

export const ArrowList = ({children}) => <ul className="gv-arrow-list">{children}</ul>;

export const NumberedStep = ({n, title, children}) => <li className="gv-step">
    <span className="gv-step__index">{n}</span>
    <div className="gv-step__body">
      <h3 className="gv-step__title">{title}</h3>
      <div className="gv-step__content">{children}</div>
    </div>
  </li>;

export const NumberedSteps = ({children}) => <ol className="gv-steps">{children}</ol>;

export const Eyebrow = ({label, tone = "default"}) => <div className={`gv-eyebrow gv-eyebrow--${tone}`}>
    <span className="gv-eyebrow__bar" aria-hidden="true" />
    <span className="gv-eyebrow__label">{label}</span>
  </div>;

<Eyebrow label="DISCLOSURE" />

This page covers how to report a security finding, what we treat as in-scope, and the response timelines you can hold us to. The canonical machine-readable policy is served at [https://gavai.io/.well-known/security.txt](https://gavai.io/.well-known/security.txt) in RFC 9116 format; this page mirrors it in human-readable form.

## SLAs at a glance

<DefList>
  <Def term="Acknowledgment" type="SLA" defaultValue="72 hours">
    Every report gets a human reply within 72 hours. Follow up if you don't hear back — delivery issues happen.
  </Def>

  <Def term="Disclosure window" type="SLA" defaultValue="90 days">
    90 days from triage. Extensions are agreed in writing before the window closes; we do not unilaterally extend.
  </Def>

  <Def term="Encryption" type="optional">
    Encrypt sensitive proofs of concept and credentials with our PGP key before sending.
  </Def>

  <Def term="Bug bounty" type="status" defaultValue="not paid">
    Acknowledgment-only. We list valid findings in the public transparency log unless you opt out.
  </Def>
</DefList>

## How to report

<NumberedSteps>
  <NumberedStep n="01" title="Send an email">
    Email [security@gavai.io](mailto:security@gavai.io). Include a clear description of the finding, reproduction steps, and the impact you observed. For reports that contain sensitive details — credentials, proof-of-concept exploit code, or data from another workspace — encrypt the message body with our PGP key.
  </NumberedStep>

  <NumberedStep n="02" title="Receive acknowledgment within 72 hours">
    We acknowledge every security report within 72 hours. If you haven't heard back in that window, follow up to the same address — delivery issues happen.
  </NumberedStep>

  <NumberedStep n="03" title="Hold us to a 90-day disclosure window">
    The disclosure window is 90 days from triage. If you or we need more time — for a complex fix or coordinated vendor notification — we agree to any extension in writing before the window closes. We do not unilaterally extend without your agreement.
  </NumberedStep>

  <NumberedStep n="04" title="Bug bounty">
    We do not currently operate a paid bug bounty program. We acknowledge valid findings in our public transparency log at [https://gavai.io/legal/transparency](https://gavai.io/legal/transparency).
  </NumberedStep>
</NumberedSteps>

## In scope — what we want

<ArrowList>
  <ArrowItem>Authenticated and unauthenticated XSS, CSRF, and injection vulnerabilities on `gavai.io`, `gavai.app`, `gavai.build`, and `*.gavai.run`.</ArrowItem>
  <ArrowItem>Cross-tenant access — a session authenticated to workspace A successfully reading or writing workspace B's data. This is the highest-severity bucket in our policy.</ArrowItem>
  <ArrowItem>Authentication-bypass and session-fixation paths that allow a caller to act as a different user or workspace without valid credentials.</ArrowItem>
  <ArrowItem>SSRF on tenant-controlled URL fetches — any path where a tenant-supplied URL is fetched server-side without adequate validation.</ArrowItem>
  <ArrowItem>Vault findings — a vault ref resolving outside its issuing workspace. If you find a path where a tokenized secret ref can be resolved by a request from a different workspace, report it immediately.</ArrowItem>
</ArrowList>

## Not actionable

These categories aren't dismissed as a class — they're not actionable as vulnerability reports without a demonstrated exploit path.

<ArrowList>
  <ArrowItem>Reports of missing security headers without a demonstrated exploit path. Headers without impact are not actionable.</ArrowItem>
  <ArrowItem>DoS or DDoS rate-limit findings without a sustained-cost angle. Generic rate-limit observations without evidence of meaningful impact are out of scope.</ArrowItem>
  <ArrowItem>Phishing or social engineering attempts against gavAI staff. These are not security research — do not attempt them.</ArrowItem>
</ArrowList>

## Out of scope

<Note>
  Tenant-app-level vulnerabilities owned by the tenant operator — for example, SQL injection in a tenant's own Postgres schema, or a misconfigured form in a tenant's app — are the responsibility of the tenant operator, not gavAI. Report those directly to the operator. If such a report reaches us in error, we forward it to the relevant workspace owner.
</Note>

## Acknowledgments

Researchers who report valid in-scope findings are listed at [https://gavai.io/legal/transparency](https://gavai.io/legal/transparency). Listing is opt-in — tell us in your report if you prefer to remain anonymous.

## Canonical sources

<ArrowList>
  <ArrowItem>[security.txt](https://gavai.io/.well-known/security.txt) — RFC 9116-compliant machine-readable policy.</ArrowItem>
  <ArrowItem>[Policy](https://gavai.io/legal/security) — the authoritative legal-facing policy page.</ArrowItem>
  <ArrowItem>[Acknowledgments](https://gavai.io/legal/transparency) — researcher acknowledgment log.</ArrowItem>
</ArrowList>

<CTABanner eyebrow="REPORT" headline="Found something? We'd like to hear about it." ctaLabel="Email security@gavai.io" ctaHref="mailto:security@gavai.io" />
