Coordinated Vulnerability Disclosure Policy

Effective 27 May 2026

Glassbreak welcomes reports from security researchers. This policy describes what we ask in return for safe-harbour protection, how to reach us, and what to expect after a report lands.

How to report

Send a single email to security@glassbreak.io. We accept clear-text reports, but if you would prefer to encrypt, our PGP key is published at /.well-known/security.txt. Include:

  • A description of the issue and its security impact.
  • Steps to reproduce, or a working proof-of-concept.
  • The affected URL, endpoint, or component.
  • The version, date, and time you observed the issue.
  • Your preferred name for recognition (optional).

What you can expect

  • Acknowledgement within 2 business days. We will reply to confirm we received your report.
  • Initial triage within 5 business days. We will assess severity and tell you whether we accept the report.
  • Status updates at least every 14 days while the issue is open.
  • Public credit on the trust page when a fix ships, if you wish.

Scope

Reports about the following components are in scope:

  • Production services on the glassbreak.io, glassbreak.dev, and glass-break.com domains.
  • The Glassbreak iOS and Android mobile apps.
  • The published web client at app.glassbreak.io.
  • The public API documented at api.glassbreak.io.
  • Cryptographic claims published on the trust page or the security page.

Out of scope

  • Findings from automated tools without a working exploit.
  • Missing security headers that do not lead to a concrete vulnerability.
  • Reports about TLS/SSL configurations on third-party domains we do not own.
  • Social-engineering of Glassbreak employees, customers, or partners.
  • Physical security attacks against Glassbreak offices or staff.
  • Volumetric DDoS or any test that degrades service for other users.
  • Vulnerabilities requiring a rooted / jailbroken device.
  • Spam, content injection, or SEO concerns.
  • Disclosure of public information (e.g. the names of our cloud providers, which are intentionally documented).

Safe harbour

We will not pursue legal action against researchers who act in good faith under this policy. Acting in good faith means:

  • You give us a reasonable opportunity to address an issue before any public disclosure.
  • You do not access, modify, or delete data that is not your own. If you accidentally encounter another customer's data, stop, report it to us, and do not retain a copy.
  • You do not degrade service for other users or run automated scans above normal traffic levels.
  • You do not use findings for personal gain or extortion.
  • You comply with applicable law.

If you are unsure whether something is permitted, ask us first.

Disclosure timeline

Our default coordinated-disclosure window is 90 days from the date you report the issue. We may agree to shorter or longer windows by mutual consent — for example, if a critical issue is being actively exploited, we will move faster; if a fix requires a major architectural change, we may request more time.

Once a fix ships, we will publish a brief post-mortem describing the issue and the mitigation. With your permission, we will credit you by name.

Bug bounty

We do not currently operate a paid bug-bounty programme. We may introduce one as the business matures. In the meantime, we offer public credit, a Glassbreak swag pack, and our genuine thanks.

Contact

security@glassbreak.io — for security reports.

legal@glassbreak.io — for legal questions about this policy.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.