Coordinated disclosure policy.

We welcome reports of security vulnerabilities. Please follow this policy when you research and report issues. Version 1.0 — Effective 2026-03-24.

POLICY

What we accept and how we respond.

Scope

  • All publicly reachable services and assets operated by Grilli OÜ (private limited company, registered in Estonia), unless explicitly excluded.

How to report

  • Email security@grillisecurity.com
  • Reference /.well-known/security.txt for current contacts
  • PGP encryption available on request

Response SLAs

  • Acknowledge within 72 hours
  • Coordinated disclosure with reporter after remediation or within a mutually agreed window
RULES

Safe harbour and limits.

Safe harbour

  • We will not pursue legal action for good-faith research that respects this policy
  • Do not access customer data, degrade service, or retain data
  • Make a good-faith effort to avoid privacy violations and service disruption
  • No extortion: do not make demands for payment as a condition for disclosure

Out of scope

  • Denial of Service or volumetric attacks
  • Automated scans without coordination
  • Clickjacking on non-sensitive pages, missing SPF/DMARC reports, or best-practice advisories without exploitability

Testing constraints

  • Do not access or exfiltrate live customer data; if you encounter it accidentally, stop immediately and report the details securely
  • Avoid production impact; coordinate high-risk tests with us in advance
  • Retain only the minimum data required to document the vulnerability; delete it once the report is submitted
THANKS

Recognition.

  • We appreciate the security community. With permission, we recognise contributors here.
  • To be listed, please tell us your preferred name/handle after coordinated disclosure.
ACTIVE INCIDENT?