Security & Vulnerability Disclosure

Effective date: [Month Day, Year]
Last updated: [Month Day, Year]

We welcome good-faith reports of security vulnerabilities affecting the Services.

1) Report a vulnerability

Email: security@graam.institute
Include: what you found, where it occurs, how to reproduce, impact, and any relevant details.

2) Scope

This policy applies to systems and software we operate or publish as part of graam.institute. Third-party services are out of scope unless explicitly stated.

3) Guidelines

Please do not:

• harm users, access data that is not yours, or violate privacy
• attempt social engineering, phishing, or physical attacks
• perform denial-of-service testing or disruptive scanning
• publicly disclose before giving us a reasonable opportunity to investigate and address the issue

4) Coordinated disclosure

We request coordinated disclosure and will make a best-effort attempt to acknowledge receipt and follow up.

5) Safe harbor (good-faith)

We will not initiate legal action against you for security research conducted in good faith and consistent with this policy. This does not apply to unlawful conduct or actions that cause harm, disruption, or data access beyond what is necessary to demonstrate the issue.

6) No guarantee of reward

We may choose to acknowledge reports or offer rewards, but we do not promise compensation unless explicitly stated in a separate program.