Security
Gradelog takes the security of our platform and customer data seriously. If you believe you have found a security vulnerability, we encourage you to report it responsibly and we commit to working with you to address it promptly.
The following systems and services are in scope for security research:
Out of Scope
Denial-of-service attacks, spam, social engineering of Gradelog staff, physical security attacks, third-party services (Stripe, Supabase, Vercel, PostHog), and vulnerabilities in systems not operated by Gradelog. Testing must not degrade service availability or access other users' data.
Email your findings to security@gradelog.com. Please include:
You may optionally encrypt your report using our PGP key — email security@gradelog.com to request it.
Acknowledgment
Within 2 business days
We will confirm receipt of your report and assign it for review.
Initial assessment
Within 5 business days
We will assess severity and confirm whether the issue is valid and in scope.
Resolution
Varies by severity
Critical issues are prioritized; we will keep you updated on progress and notify you when a fix is deployed.
Gradelog will not pursue legal action against security researchers who:
We ask that you give us reasonable time — typically 90 days — to investigate and remediate before any public disclosure. We will work with you on the timing if you have concerns.
Gradelog does not currently operate a paid bug bounty program. We cannot offer monetary rewards for vulnerability reports. However, we genuinely appreciate responsible disclosure and are happy to acknowledge researchers in our changelog (with your permission).
Ready to report?
Email security@gradelog.com with the details above. Thank you for helping keep Gradelog and our customers safe.
This policy was last updated July 2026. For the machine-readable version, see /.well-known/security.txt.