Vulnerability Disclosure Policy (VDP)
TLDR
- Report security vulnerabilities found in Glama's systems to: security@glama.ai.
- Please provide details on the vulnerability and how to reproduce it.
- Act in good faith. Avoid privacy violations, data destruction, or service disruption (like DoS).
- Keep findings confidential between you and Glama until we've had reasonable time to address them.
Introduction
Glama is committed to the security of our users and our platform. We value the contributions of independent security researchers who help us identify and address potential vulnerabilities. This policy outlines how to conduct vulnerability discovery activities related to our systems and how to submit discovered vulnerabilities to us.
We encourage responsible reporting of any vulnerabilities that may be found in our site or applications. Glama is committed to working with the security community to verify and address potential issues.
Scope
This policy applies to security vulnerabilities found within the following Glama-owned systems and services:
- The primary website:
glama.ai - Any subdomains directly controlled by Glama under
*.glama.ai
Out of Scope:
The following are explicitly out of scope for this policy:
- Third-party services or providers used by Glama (e.g., hosting providers, CDN providers, email providers). Please report vulnerabilities directly to the third party according to their disclosure policy.
- Social media channels operated by Glama (e.g., Twitter, LinkedIn).
- Glama marketing websites hosted by third-party vendors (unless explicitly listed in scope).
- Physical security of Glama facilities.
- Social engineering (e.g., phishing, vishing) of Glama employees, contractors, or users.
- Denial of Service (DoS or DDoS) attacks or testing that could degrade the availability of Glama services.
- Scanning using automated tools that produce high volumes of traffic. Basic scanning is acceptable, but overly aggressive scanning is prohibited.
How to Report a Vulnerability
If you believe you have discovered a security vulnerability within the scope of this policy, please report it to us as quickly as possible by emailing: security@glama.ai
When submitting a report, please include the following details:
- Clear Description: A clear description of the vulnerability, including the potential impact.
- Location: The specific URL, IP address, application component, or API endpoint where the vulnerability was found.
- Steps to Reproduce: Detailed steps required to reproduce the vulnerability (including any necessary tools, code snippets, or proof-of-concept).
- Screenshots/Videos (Optional but helpful): Visual evidence demonstrating the vulnerability.
- Contact Information: Your name and contact information (email address) for follow-up questions.
Please provide sufficient detail so we can replicate the issue.
Vulnerabilities We Are Interested In
We are primarily interested in vulnerabilities such as (but not limited to):
- Cross-Site Scripting (XSS)
- SQL Injection (SQLi)
- Server-Side Request Forgery (SSRF)
- Remote Code Execution (RCE)
- Authentication or Authorization flaws
- Significant Security Misconfigurations with demonstrable impact
- Information Disclosure of sensitive data
- Directory Traversal / Path Traversal
- XML External Entity (XXE) attacks
Exclusions / Non-Qualifying Reports
The following types of findings are generally considered out of scope or non-qualifying unless they lead to a demonstrable, significant security impact:
- Missing security headers (e.g.,
Strict-Transport-Security,Content-Security-Policy,X-Frame-Options) without proof of exploitability. - Software version disclosure without proof of exploitability.
- Clickjacking on pages with no sensitive actions or information.
- Self-XSS (requires user interaction to exploit themselves).
- Logout Cross-Site Request Forgery (CSRF).
- Rate limiting or brute-force issues on non-authentication endpoints.
- Missing best practices (e.g., password complexity requirements) unless leading to account compromise.
- Reports from automated scanners without manual verification and proof of concept.
- Findings related to email best practices (SPF, DKIM, DMARC) unless they lead to a specific vulnerability.
- Expired SSL/TLS certificates.
Guidelines / Rules of Engagement
When conducting security research, we ask that you:
- Do No Harm: Act in good faith. Avoid privacy violations, destruction of data, interruption, or degradation of our services.
- Respect Privacy: Do not access, download, modify, or store user data or confidential Glama information beyond what is minimally necessary to demonstrate the vulnerability. If you encounter user data, stop your testing and report it immediately.
- No Destructive Testing: Do not perform actions that could negatively impact Glama or its users (e.g., DoS, spamming, social engineering).
- Confidentiality: Keep information about discovered vulnerabilities confidential between yourself and Glama until we have had a reasonable time to address the issue and provide consent for disclosure. Public disclosure before a fix is implemented can put users at risk.
- Compliance: Comply with all applicable laws and regulations.
Our Commitment
- Acknowledgement: We will strive to acknowledge receipt of your vulnerability report within 2 business days.
- Triage: We will investigate and validate submitted reports. We aim to confirm the validity of a vulnerability within 5 business days of acknowledgment.
- Communication: We will maintain open communication throughout the process, providing status updates, particularly as remediation progresses.
- Remediation: We will work to remediate validated vulnerabilities in a timely manner, considering the severity and complexity.
- Recognition: We greatly appreciate the efforts of security researchers. While Glama does not currently offer a monetary bug bounty program, we are happy to provide public acknowledgment for researchers who submit valid reports and adhere to this policy, if they wish to be recognized.
Safe Harbor
Glama considers security research conducted under this policy to be authorized and lawful. We will not initiate legal action against researchers for discovering and reporting vulnerabilities in good faith according to this policy. This includes exemptions from restrictions in our Terms of Service that might otherwise prohibit security testing.
To be protected by this Safe Harbor provision, researchers must:
- Comply fully with this Vulnerability Disclosure Policy.
- Not cause harm to Glama, our users, or our systems.
- Not violate any laws or regulations.
- Provide us a reasonable amount of time to fix the vulnerability before any public disclosure.
If at any point you are unsure whether your actions comply with this policy, please contact us at security@glama.ai before proceeding.
Policy Updates
This policy may be updated from time to time. The latest version will always be available at this location.
Questions
If you have any questions about this policy, please contact us at security@glama.ai.
This policy was last updated on 2025-04-02.