Responsible Disclosure Policy

1. Purpose

The security of Grik.io, Ricochet, Rico, users, data, and integrations is a priority. We welcome good-faith reports from security researchers about potential vulnerabilities and ask researchers to follow this Responsible Disclosure Policy.

2. In scope

The scope includes internet-facing systems, domains, subdomains, APIs, dashboard, billing, hosted inference, Grik Gateway, Ricochet cloud components, Rico render components, official Ricochet open-source repositories, and official messenger integrations owned or controlled by Grik.io.

3. Out of scope

Third-party systems are out of scope even when integrated with Grik.io: AI providers, payment processors, hosting providers, messengers, GitHub/GitLab, OpenRouter, marketplaces, browser stores, app stores, and other independent services. Report vulnerabilities in those systems to their owners.

4. Vulnerabilities we care about

• authentication bypass, account takeover with minimal testing on your own account;
• privilege escalation, IDOR, access control failures;
• remote code execution, command injection, sandbox escape;
• SSRF, SQL/NoSQL injection, XSS with real impact, CSRF on sensitive actions;
• secrets exposure, leakage of API keys, tokens, webhooks, or private data;
• insecure handling of BYOK keys, workspace secrets, repository tokens, or messenger credentials;
• supply-chain risks in official packages, build scripts, CI/CD, extensions, updates, or installers;
• cross-tenant data access, billing bypass, or credit abuse vulnerabilities with real security impact.

5. Exclusions and prohibited methods

• DDoS, resource exhaustion, stress testing, spam, mass scanning, or high-volume automated testing;
• social engineering, phishing, vishing, smishing, bribery, or impersonation of employees, contractors, or users;
• physical attacks, office access, device theft, or network intrusion outside explicit authorization;
• brute force against accounts that are not yours, password spraying, credential stuffing;
• accessing, downloading, modifying, deleting, or retaining data that is not yours beyond what is strictly necessary to prove impact;
• public disclosure before coordinated remediation unless required by law;
• extortion, threats, conditional disclosure demands, or demands for payment as a condition of reporting;
• pure model jailbreaks, prompt-safety issues, or content policy concerns without a technical vulnerability; send those reports to the safety contact instead.

6. Research rules

Test only accounts, workspaces, repositories, keys, devices, and data you own or are authorized to use. Use the minimum proof of concept necessary. Do not disrupt service availability or degrade other users’ experience.

If you accidentally access someone else’s data, stop testing immediately, do not copy or share the data, and include the access in your report.

7. How to report

Send your report to security@grik.io. If that address is not yet active, use the backup email support@grik.io with the subject SECURITY REPORT. Please report one vulnerability per submission.

• vulnerability type and estimated severity;
• affected URL, endpoint, repository, package, version, app, or integration;
• steps to reproduce;
• proof of concept, screenshots, screen recording, logs, or minimal code;
• potential impact and affected data;
• remediation suggestions, if any;
• public disclosure plans, if you want to coordinate them.

8. What to expect from us

We aim to acknowledge a good-faith report within 3 business days, triage the report, request clarification if needed, and keep you informed of major investigation milestones. Remediation timelines depend on complexity, risk, third-party dependencies, and provider coordination.

9. Safe harbor

If you act in good faith, comply with this Policy and the law, and do not cause harm, we will not initiate legal claims solely because of such research and responsible reporting. Safe harbor does not apply to extortion, threats, illegal access, harm, third-party rights violations, or actions outside scope.

10. Public disclosure

We support researchers’ right to disclose publicly after safe coordination. Do not publicly disclose vulnerability details or share them with third parties before coordinating a reasonable remediation period with Grik.io unless disclosure is required by law.

11. Rewards

As of the last updated date, Grik.io does not guarantee bug bounty payments. We may, at our discretion, thank researchers, attribute their name in a public disclosure, or offer other recognition if lawful and agreed.