Grafflix Security
Grafflix Security

Responsible Vulnerability Disclosure Policy

  • Home
  • Responsible Vulnerability Disclosure Policy

"Prevention is cheaper than a breach"

Responsible Vulnerability Disclosure Policy

Effective Date: July 2026


Responsible Vulnerability Disclosure Policy

Grafflix LLC (“Grafflix,” “we,” “our,” or “us”) is committed to protecting the confidentiality, integrity, and availability of our information systems. As a cybersecurity consulting firm, we value the responsible efforts of security researchers who help identify vulnerabilities in a manner that promotes security while protecting our clients, partners, and business operations.

This Responsible Vulnerability Disclosure Policy describes how security researchers should report potential vulnerabilities affecting Grafflix-owned public systems and explains the scope of authorized security research.


Our Commitment

Grafflix believes responsible vulnerability disclosure contributes to a more secure Internet and benefits the broader cybersecurity community.

When vulnerabilities are reported responsibly and in good faith, we are committed to:

  • Acknowledging receipt of vulnerability reports.
  • Reviewing and validating reported issues.
  • Investigating confirmed vulnerabilities.
  • Taking appropriate remediation actions.
  • Communicating with researchers, when appropriate, throughout the process.

Scope

This policy applies only to systems that are publicly owned and operated by Grafflix LLC, including:

  • https://grafflixllc.com
  • Public Grafflix web applications
  • Public APIs owned and operated by Grafflix
  • Public Internet-facing infrastructure owned by Grafflix LLC

This policy does not apply to:

  • Client systems
  • Customer environments
  • Third-party hosted services
  • Vendor systems
  • Cloud providers not owned by Grafflix
  • Internal corporate systems
  • Employee devices
  • Demonstration environments unless specifically designated

How to Report a Vulnerability

Researchers should report vulnerabilities promptly and privately through the Contact page on our website.

Please include, where applicable:

  • Description of the vulnerability
  • Affected URL(s), IP addresses, or services
  • Steps required to reproduce the issue
  • Proof-of-concept or screenshots
  • Estimated impact
  • Date discovered
  • Contact information

Reports that include sufficient technical detail enable us to investigate more efficiently.


Expectations for Responsible Research

Researchers acting under this policy should:

  • Act in good faith.
  • Avoid violating applicable laws.
  • Minimize disruption to systems and users.
  • Respect the privacy of others.
  • Avoid accessing or modifying data unnecessarily.
  • Report findings privately before any public disclosure.
  • Allow Grafflix a reasonable opportunity to investigate and remediate confirmed vulnerabilities before discussing them publicly.

Authorized Activities

The following activities are generally considered acceptable when performed in good faith and within the scope of this policy:

  • Identifying security misconfigurations.
  • Testing for common web application vulnerabilities.
  • Validating publicly accessible security controls.
  • Reporting security weaknesses without exploiting them beyond what is necessary to demonstrate their existence.

Authorization under this policy is limited and does not extend to any activities outside the stated scope.


Prohibited Activities

The following activities are expressly prohibited without prior written authorization from Grafflix LLC:

  • Denial-of-Service (DoS) attacks.
  • Distributed Denial-of-Service (DDoS) attacks.
  • Social engineering.
  • Phishing.
  • Pretexting.
  • Physical security testing.
  • Credential stuffing.
  • Password spraying.
  • Brute-force authentication attacks.
  • Malware deployment.
  • Ransomware testing.
  • Exploitation resulting in service interruption.
  • Data exfiltration.
  • Modification or deletion of data.
  • Persistent access or backdoors.
  • Privilege escalation beyond what is necessary to demonstrate a vulnerability.
  • Accessing customer or third-party information.
  • Automated vulnerability scanning that significantly impacts service availability.
  • Testing systems outside the scope of this policy.

Any activity that adversely affects the availability, confidentiality, or integrity of Grafflix systems, customer information, or third-party services is prohibited.


Unauthorized Testing

This policy does not authorize penetration testing, vulnerability scanning, exploit development, red teaming, social engineering, or any other offensive security activities against Grafflix systems.

Security testing may only be conducted under a separate written agreement expressly authorizing such activities.

Unauthorized testing may result in:

  • Blocking of network traffic.
  • Suspension of access.
  • Investigation.
  • Referral to law enforcement.
  • Civil remedies where appropriate.

Safe Harbor

Grafflix will not intentionally pursue legal action against researchers who:

  • Act in good faith.
  • Comply with this policy.
  • Avoid privacy violations.
  • Avoid service disruption.
  • Promptly report discovered vulnerabilities.
  • Do not exploit vulnerabilities beyond what is reasonably necessary to demonstrate their existence.

This Safe Harbor statement does not provide authorization to violate any applicable law or access systems beyond the scope defined in this policy.


Bug Bounty Program

Grafflix LLC does not currently operate a public bug bounty program.

Submission of a vulnerability report does not create any entitlement to compensation.

We reserve the right to recognize researchers at our discretion.


Coordinated Disclosure

Grafflix supports coordinated vulnerability disclosure.

Researchers are requested not to publicly disclose vulnerability details until:

  • Grafflix has confirmed remediation, or
  • A mutually agreed disclosure timeline has expired.

This helps protect website users and business partners while remediation efforts are underway.


No Waiver of Rights

Nothing in this policy limits Grafflix’s legal rights regarding unauthorized access, malicious activity, or violations of applicable law.


Changes to This Policy

Grafflix may update this Responsible Vulnerability Disclosure Policy periodically to reflect changes in technology, business operations, legal requirements, or security practices.

The Effective Date at the top of this page reflects the current version.


Contact Us

To report a potential security vulnerability, please use the Contact page on our website and include “Responsible Vulnerability Disclosure” in the subject of your message.

Grafflix LLC

Website: https://grafflixllc.com

Scroll to top