Responsible Disclosure

Gravity takes security seriously. If you believe you've found a vulnerability that affects the Gravity platform or any property we control, this page tells you how to report it safely, what we will do in response, and the protections we extend to good-faith researchers.

01Our promise

• We will acknowledge a valid report within 72 hours.
• We will triage the report and respond with our initial assessment within 7 days.
• We will fix confirmed issues on a timeline matched to severity (see Section 6).
• We will credit reporters who request acknowledgment, after the fix has shipped.
• We will not pursue legal action against researchers who follow this policy in good faith.

02How to report

Email: security@gravity.fast

Please include:

• A clear, reproducible description of the issue.
• The asset affected (URL, endpoint, mobile app version).
• Step-by-step proof of concept; minimal payloads only.
• Impact you reasonably believe the issue could have.
• Your name or handle if you would like credit, and your email for follow-up.

For sensitive reports, we accept PGP-encrypted email. Our key is published at /.well-known/security.txt.

03In scope

• https://gravity.fast and all sub-domains under *.gravity.fast we operate.
• Gravity's APIs and authenticated web application.
• Gravity-authored mobile applications (when launched).
• Authentication, authorization, and tenant-isolation flaws.
• Server-side code execution, SSRF, IDOR, broken access control, sensitive data exposure.
• Logical flaws affecting credit accounting, refunds, or revenue split.
• Cross-site scripting, CSRF, clickjacking, host-header injection on authenticated routes.
• Configuration issues that materially weaken security (open S3/R2 buckets, exposed secrets in production).
• Vulnerabilities in our use of AI model APIs that allow exfiltration of other users' content.

04Out of scope

• Reports that require physical access to a victim's device.
• Social engineering of Gravity employees, contractors, or vendors (including phishing simulations).
• Denial of service, distributed denial of service, or any attempt to degrade availability.
• Volumetric, automated, or brute-force attacks.
• Reports based purely on missing or weak headers (HSTS, CSP) without a demonstrated impact.
• Self-XSS or vulnerabilities that require pasting content into the browser console.
• Issues affecting only outdated browsers or end-of-life operating systems.
• Reports of public information disclosure where no sensitive data is exposed.
• Vulnerabilities in third-party software or services we use (please report to the vendor; share their reference number with us so we can track).
• Builder-published Agent quality issues (please email abuse@gravity.fast instead).
• Findings against staging or sandbox environments not explicitly listed.

05Rules of engagement

To stay within safe-harbor protections (Section 8), please:

• Test only against accounts you own. Do not access, modify, or destroy other users' data.
• Stop and report as soon as you have proof of concept. Do not pivot, escalate, or maintain access.
• Do not exfiltrate data. If you accidentally encounter another user's data, halt testing and tell us.
• Do not run automated scanners at high volume. Throttle to a level that does not impact availability for others.
• Do not use social engineering against Gravity staff or vendors.
• Do not disclose the issue publicly until we have shipped a fix or 90 days have passed (whichever is sooner), and please coordinate the disclosure with us.
• Comply with applicable law. If law in your jurisdiction prohibits the testing you intend, do not perform it.

06Severity & SLAs

We assign severity using the CVSS v3.1 framework, adjusted for our environment.

Severity	Examples	Acknowledge	Fix target
Critical	Remote code execution; cross-tenant data exposure; full account takeover.	24 hours	72 hours
High	Single-tenant data exposure; privilege escalation; auth bypass for non-admin accounts.	48 hours	14 days
Medium	Stored XSS in low-impact context; CSRF on sensitive but non-financial endpoints.	72 hours	30 days
Low	Self-impact issues; minor information disclosure; reflected XSS in low-traffic paths.	5 days	60 days

07Recognition

We do not yet operate a paid bug bounty. We do publish a Security Hall of Fame recognizing researchers who report valid issues, with their permission. Once a public bounty program is launched, qualifying past reports will be considered for retroactive recognition. Material findings from the early access period may receive Gravity Credits or merchandise at our discretion.

08Safe harbor

Gravity considers research conducted under this policy to be:

• Authorized under the Computer Fraud and Abuse Act (CFAA), India's Information Technology Act, 2000, the UK Computer Misuse Act, and analogous laws.
• Exempt from anti-circumvention provisions where applicable to security research.
• Lawful for purposes of our Terms of Service.

If a third party brings legal action against you for activity conducted in good-faith compliance with this policy, we will make this position clear. We cannot, of course, authorize action against systems we do not operate, and nothing in this policy removes obligations under laws of other jurisdictions.

09Legal notes

• By submitting a report, you grant Gravity an unrestricted, royalty-free license to use the information you submit to investigate, fix, and (with your permission) publicize the issue.
• You confirm you are not on any sanctioned-party list and not located in a jurisdiction subject to comprehensive sanctions imposed by the United Nations, the United States, the European Union, or India.
• This policy may be updated as our security program matures. Material changes will be summarized at the top of this page for thirty (30) days.

10Contact