Vulnerability disclosure policy.

• Acknowledge receipt within 3 business days.
• Share a status update and estimated remediation timeline.
• Treat your report as confidential while we investigate.
• Offer public acknowledgment, if requested, after resolution.
• Not initiate legal action for research conducted lawfully and in accordance with this policy.

Email hello@define-gravity.com with:

• A clear description of the issue and impact.
• Reproduction steps and helpful proof (screenshots or PoC details).
• The exact URL, host, endpoint, or service affected.

• No disruptive testing: no DoS, DDoS, or stress attacks.
• No social engineering, impersonation, or physical bypass attempts.
• If you encounter sensitive data, stop immediately and report it. Do not copy, exfiltrate, or retain data.
• Do not create persistence, backdoors, or modify production data.
• Use coordinated disclosure and allow reasonable remediation time before public disclosure.

• Missing headers without a direct exploit path.
• Scanner-only findings without manual validation.
• Clickjacking reports on pages without sensitive actions.
• Issues in third-party systems not controlled by Define Gravity.

Define Gravity does not currently run a paid bug bounty program. We provide professional acknowledgment for valid, high-impact findings.

Last updated: March 23, 2026.