Security

Responsible Disclosure

We value the security research community and welcome responsible disclosure of potential vulnerabilities.

Our Commitment

Grain Analytics is committed to ensuring the security of our platform and protecting our users' data. We appreciate the efforts of security researchers who help us maintain the highest security standards.

If you believe you've discovered a security vulnerability in our platform, we encourage you to report it to us responsibly. We will work with you to understand and resolve the issue promptly.

Scope

What is and isn't covered by this policy

In Scope

  • grainql.com (main website)
  • clientapis.grainql.com & queryapis.grainql.com (API endpoints)
  • @grainql/tag SDK (Grain Tag)
  • Authentication and authorization flows
  • Data privacy and isolation issues

Out of Scope

  • Social engineering attacks
  • Physical security testing
  • Denial of service (DoS/DDoS) attacks
  • Third-party services (Auth0, Stripe, etc.)
  • Spam or content injection without security impact

How to Report

Please follow these steps to report a security vulnerability

1

Email Our Security Team

Send a detailed report to security@grainql.com

  • Encrypted communication available upon request
  • Use a descriptive subject line (e.g., "Security Vulnerability: [Type]")
2

Include Detailed Information

Help us understand and reproduce the issue by providing:

  • Description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Proof of concept (PoC) code or screenshots if applicable
  • Any tools, settings, or configurations used
  • Your assessment of severity (Critical, High, Medium, Low)
3

Work With Us

We'll coordinate with you throughout the process:

  • Acknowledge receipt within 48 hours
  • Provide regular updates on our progress
  • Coordinate disclosure timeline (typically 90 days)
  • Credit you in our security acknowledgments (optional)

Response Timeline

Our commitment to timely vulnerability resolution

48 hours
Initial Response
5 days
Triage Assessment
7-30 days
Fix Timeline
90 days
Coordinated Disclosure

Fix Timeline by Severity

Critical:7 days
High:14 days
Medium:30 days

Safe Harbor

We will not pursue legal action against security researchers who:

  • Report vulnerabilities in good faith
  • Make a good faith effort to avoid data destruction
  • Do not access or modify user data beyond what is necessary
  • Keep details confidential until we resolve the issue
  • Do not exploit the vulnerability for personal gain

Recognition

We value your contribution to our security:

  • Public acknowledgment on our security page (with your permission)
  • Credit in release notes for fixed vulnerabilities
  • Direct communication with our security team

Security Researchers Hall of Fame

No vulnerabilities reported yet. Be the first to help us improve our security!

Found a Vulnerability?

We appreciate your help in keeping Grain Analytics secure. Report it to us today.

Response within 48 hours • Coordinated disclosure • Safe harbor protection