Security at Galeira
We treat security reports as a priority. This page is the canonical place to find out how to send us one, what we'll do with it, and what we ask of you. It pairs with our machine-readable policy at /.well-known/security.txt (RFC 9116).
How to report
Email [email protected]. For sensitive findings request a PGP key in your first message and we will reply with one.
Please include: the vulnerability class, exact steps to reproduce, the affected URL or endpoint, your test account (if any), the date/time of testing, and impact. A short proof-of-concept video helps a lot.
Scope
galeira.comand all subdomains we operate.- Hosted galleries on
*.events.galeira.comand custom-domain hosts pointed at our service. - The Galeira native mobile app (Android & iOS).
- The public API at
/api/*.
Out of scope
- Volumetric DoS, DDoS, application-layer flood tests, or anything that degrades service for real users.
- Social engineering of staff, customers, or hosts.
- Physical attacks against our offices or vendor offices.
- Reports generated purely by automated scanners with no demonstrated impact.
- Missing security headers without a demonstrated exploit (we know — we're tightening the CSP iteratively).
- Self-XSS, clickjacking on pages with no state-changing actions, missing rate-limit on non-sensitive endpoints.
- Issues in third-party services we use (e.g. Stripe, Cloudflare, Sentry) — report those to the vendor.
Safe-harbour
If you act in good faith — stay within scope, do not access or modify other users' data beyond the minimum needed to prove the vulnerability, do not run automated brute-force, do not publicly disclose before we've had a reasonable window to fix — we will:
- Treat your research as authorised under our Terms of Service, the Computer Fraud and Abuse Act (US), and equivalent computer-misuse laws.
- Not pursue or support legal action against you.
- Work with you on coordinated disclosure.
We follow the principles of the disclose.io safe-harbour template. If you're unsure whether a test would be in scope, email us first and we'll tell you.
What we ask
- Give us a reasonable window to fix before disclosing publicly — usually 90 days, sooner by mutual agreement, longer for complex issues.
- Don't exfiltrate more data than needed to demonstrate impact. If you stumble on real user data, stop, report, and delete your copy.
- Don't target other users; use your own test accounts. If you need a test event, ask and we'll provision one.
- One report per issue. Don't replay reports across our different domains hoping for a duplicate payout.
What we'll do
- Acknowledge your report within 2 business days.
- Validate and triage within 5 business days.
- Keep you updated at least every two weeks until the issue is fixed.
- Credit you in our Hall of Fame (below) once the issue is resolved, unless you ask us not to.
Bounties
We're a small team and do not yet run a paid bug-bounty programme. We're happy to send swag or a thank-you for clear, well-written reports of meaningful issues. As we grow we plan to set up an HackerOne / Intigriti programme — the same safe-harbour above applies in the meantime.
Hall of fame
Researchers who have helped make Galeira safer. Email us if you'd like to be added or removed.
- This list will populate as reports come in.
Other channels
- To report abusive content (not a security bug), use /report.
- For copyright takedowns, use /legal/dmca.
- For data-subject requests (GDPR / CCPA), use /legal/privacy.