Security

Vulnerability disclosure policy

We rely on the security community. Here is how to reach us, what is in scope, and the safe-harbor commitments you can rely on when reporting in good faith.

How to reach us

Email is the primary channel. We acknowledge within 2 business days and follow up with a tracking reference.

security@getgeo.space

PGP

[REPLACE BEFORE LAUNCH — PGP key fingerprint]

Download public key →

In scope

The Geo desktop and mobile applications (Tauri builds)
The control plane API and admin consoles (app.getgeo.space)
The managed super-peer relay infrastructure
The marketing site (getgeo.space)
The published source code in our public repository

Out of scope

Denial-of-service attacks against our infrastructure
Social engineering of staff, members, or organizations
Physical attacks against offices or data centers
Reports based on missing best-practice headers without a demonstrable impact
Automated scanner output without manual validation

Disclosure process

1
You report by email (PGP encouraged for sensitive issues).
2
We acknowledge within 2 business days with a tracking reference.
3
We triage, reproduce, and assign a severity. You receive a status update within 7 business days.
4
We fix and verify. Severity drives the timeline; critical issues are prioritized.
5
Coordinated public disclosure once the fix has shipped, typically within 90 days of the initial report.

Safe harbor

For research conducted in good faith and within the scope above, we will not pursue civil or criminal legal action against you. We will work with you to clarify scope before any action and to resolve issues quickly. We expect you to: avoid privacy violations, destruction of data, and degradation of user experience; report promptly; and not exploit a vulnerability beyond what is necessary to demonstrate it.

Acknowledgements

Reporters who have helped harden Geo — opt-in attribution upon request.

No public acknowledgements yet. Be the first.