Coordinated disclosure policy.
We welcome reports of security vulnerabilities. Please follow this policy when you research and report issues. Version 1.0 — Effective 2026-03-24.
POLICY
What we accept and how we respond.
Scope
- All publicly reachable services and assets operated by Grilli OÜ (private limited company, registered in Estonia), unless explicitly excluded.
How to report
- Email security@grillisecurity.com
- Reference /.well-known/security.txt for current contacts
- PGP encryption available on request
Response SLAs
- Acknowledge within 72 hours
- Coordinated disclosure with reporter after remediation or within a mutually agreed window
RULES
Safe harbour and limits.
Safe harbour
- We will not pursue legal action for good-faith research that respects this policy
- Do not access customer data, degrade service, or retain data
- Make a good-faith effort to avoid privacy violations and service disruption
- No extortion: do not make demands for payment as a condition for disclosure
Out of scope
- Denial of Service or volumetric attacks
- Automated scans without coordination
- Clickjacking on non-sensitive pages, missing SPF/DMARC reports, or best-practice advisories without exploitability
Testing constraints
- Do not access or exfiltrate live customer data; if you encounter it accidentally, stop immediately and report the details securely
- Avoid production impact; coordinate high-risk tests with us in advance
- Retain only the minimum data required to document the vulnerability; delete it once the report is submitted
THANKS
Recognition.
- ✓We appreciate the security community. With permission, we recognise contributors here.
- ✓To be listed, please tell us your preferred name/handle after coordinated disclosure.
