Skip to main content
Security

Responsible Vulnerability Disclosure

How to report security issues to G8KEPR. We acknowledge reports within 48 hours and provide an initial assessment within 7 days.

security@g8kepr.comPGP Public Key

Scope

In Scope

  • g8kepr.com (marketing site)
  • app.g8kepr.com (control plane / dashboard)
  • api.g8kepr.com (API endpoints)
  • docs.g8kepr.com
  • Customer-VPC sensor Docker images (downloadable; the image itself, not customer deployments)
  • Cosign-signed pattern pack distribution chain
  • Any G8KEPR-published SDKs or open-source libraries

Out of Scope

  • Customer-deployed sensor instances (those are customer infrastructure — do not attack other customers’ VPCs)
  • Third-party services: Stripe, DigitalOcean, etc. — report to those vendors directly
  • Social engineering attacks against G8KEPR staff
  • Physical attacks against offices, staff, or equipment
  • Denial-of-service testing without prior written authorization
  • Spam or content abuse
  • Vulnerabilities requiring physical access to a user’s device

Rules of Engagement

Make a good-faith effort to avoid privacy violations and service disruption

Do not access, modify, or delete customer data

Do not exploit vulnerabilities beyond the minimum necessary to demonstrate impact

Do not publicly disclose without coordinating with us first

Allow 90 days for remediation before public disclosure (default)

Contact security@g8kepr.com before starting research if you have questions about scope

What to Include in Your Report

  • 1

    Vulnerability description and CVE/CWE reference if applicable

  • 2

    Detailed steps to reproduce

  • 3

    Impact assessment (what an attacker could accomplish)

  • 4

    Affected component or URL

  • 5

    Suggested remediation if you have one

  • 6

    Your contact information if you want acknowledgment

Response Timeline

48 hours

Acknowledgment

7 days

Initial Assessment

90 days

Remediation Target

Coordinated

Public Disclosure

Safe Harbor

G8KEPR will not pursue legal action against researchers who follow this policy in good faith. We consider good-faith security research to be a valuable contribution to the security community and to our platform.

Where this policy conflicts with any applicable law, we will work with you to understand the intent of your research. We adhere to ISO/IEC 29147 (Vulnerability Disclosure) and ISO/IEC 30111 (Vulnerability Handling Processes) where applicable.

Recognition

Public Acknowledgment

With your consent, we list researchers who have responsibly disclosed valid vulnerabilities on our Researchers page.

Bug Bounty

We do not currently offer a monetary bug bounty. For exceptional findings we may offer swag or other recognition. A formal bug bounty program is under consideration for 2026 H2.

Found Something?

We take every report seriously and respond promptly.

Report a Vulnerability