Security disclosure
Report responsibly.
If you've found a security vulnerability in GitBrain, we want to know. We take all reports seriously and respond quickly.
security@gitbrain.aiOur response SLA
| Stage | Timeline |
|---|---|
| Acknowledgment | < 24 hours |
| Initial triage | < 72 hours |
| P0 / Critical fix | < 7 days |
| P1 / High fix | < 30 days |
| P2 / Medium fix | < 90 days |
| P3 / Low fix | Best effort |
| Public credit | With your permission |
Scope
What's in scope
In scope
- Authentication & authorization bypass
- Data leakage — other organizations' data exposed
- Remote code execution (RCE)
- SQL injection / NoSQL injection
- Server-side request forgery (SSRF)
- Persistent cross-site scripting (XSS)
- Privilege escalation
Out of scope
- Denial of Service (DoS / DDoS)
- Social engineering or phishing
- Physical security attacks
- Vulnerabilities in third-party libraries (report upstream)
- Non-security bugs
PGP Key
For sensitive reports, encrypt your message with our public PGP key.
Fingerprint: B5DE 3191 0C2E 1F8A 9C42 7D0E 4A81 F9B3 2D67 E4C1
Report format
To speed up our response, include as much detail as possible.
- Affected product / URL / endpoint
- Steps to reproduce (detailed)
- Impact assessment (what can an attacker do?)
- Suggested severity (P0–P3)
- Contact for coordinated disclosure
Safe Harbor
Security researchers who report vulnerabilities in good faith have our protection. We will not take legal action against researchers who:
- Act in good faith to avoid privacy violations and disruption of services
- Do not exploit the vulnerability beyond what's necessary to confirm it
- Report before public disclosure and give us reasonable time to fix
- Do not access or modify user data without explicit written permission
security@gitbrain.aiResponse < 24h