Vulnerability Disclosure Policy

No Bug Bounty Program

We do not operate a bug bounty program and do not provide monetary compensation (reward) for vulnerability reports.

What to Report

A vulnerability is a technical issue with our systems which attackers could use to exploit the website and its users. Examples include:

  • Cross-site scripting (XSS) vulnerabilities
  • SQL injection flaws
  • Authentication bypasses
  • Remote code execution vulnerabilities
  • Security misconfigurations that allow exploitation

What NOT to Report

Do not submit reports about:

  • Non-exploitable vulnerabilities
  • Missing security headers or best practices (unless exploitable)
  • TLS configuration weaknesses (e.g., weak cipher suites, TLS1.0 support)
  • Denial of Service (DoS/DDoS) vulnerabilities
  • Social engineering vectors
  • Issues already disclosed or known
  • Theoretical vulnerabilities without proof of exploitability
  • Generic security advice or automated scanner output without validation

How to Report

Include in your report:

  • The IP address and/or URL where you found the vulnerability
  • A description of the vulnerability type (e.g., XSS, SQL injection)
  • Detailed steps to reproduce the vulnerability
  • Screenshots or logs if available

Send reports to: security@grand-challenge.org

Guidelines for Researchers

When investigating and reporting vulnerabilities, you must NOT:

  • Break the law
  • Access unnecessary or excessive amounts of data
  • Modify or delete data
  • Use high-intensity invasive or destructive scanning tools
  • Attempt denial of service attacks or overwhelm our systems
  • Disrupt our services or systems
  • Disclose the vulnerability to others until we have fixed and disclosed it
  • Social engineer, phish, or physically attack our staff or infrastructure
  • Demand money to disclose a vulnerability

Report Quality Requirements

We only accept high-quality, actionable vulnerability reports. Your report must:

  • Be written by you based on your own research and testing
  • Demonstrate you have verified the vulnerability exists
  • Include specific evidence from your testing (not generic descriptions)
  • Show you understand the security impact

Prohibited: AI-Generated and Low-Quality Reports

The following will result in immediate rejection and may lead to blocking:

  • Reports generated by AI tools without human verification
  • Copy-pasted content from automated scanners without validation
  • Generic or template-based reports with no specific evidence
  • Mass-submitted reports across multiple issues without genuine testing
  • Reports that clearly demonstrate no understanding of the alleged vulnerability
  • Speculative or theoretical vulnerabilities without proof-of-concept

We reserve the right to:

  • Reject reports that do not meet quality standards without response or acknowledgment
  • Block reporters who repeatedly submit low-quality or AI-generated content
  • Share information about abusive reporting patterns with other organizations

Data Protection

You must follow data protection rules when reporting vulnerabilities. This means:

  • You cannot share any data you retrieve while researching the vulnerability
  • You must keep any retrieved data secure until deletion
  • You must delete the data as soon as we no longer need it, or within 1 month after the vulnerability is resolved (whichever comes first)

Our Response Timeline

For reports that meet our quality standards, we will:

  • Acknowledge receipt within 10 working days
  • Assess your report within 20 working days
  • Prioritize fixes by impact, severity, and exploit complexity
  • Provide status updates as the issue is investigated
  • Work with you to disclose and publish the report once fixed (if desired)

Reports that do not meet quality standards may be rejected without acknowledgment.