Genos

Vulnerability Disclosure Policy

We take security seriously and welcome responsible disclosure of vulnerabilities. This policy describes how to report security issues and what to expect from us.

How to Report

If you believe you have found a security vulnerability in Genos, please report it to us at security@genos.app.

Please include in your report:

  • A description of the vulnerability and its potential impact
  • Detailed steps to reproduce the issue, including any tools or configurations used
  • The affected component (web application, API, infrastructure)
  • Any proof-of-concept code, screenshots, or logs that demonstrate the issue

Please encrypt sensitive reports using our PGP key, available upon request.

Response Timeline
  • Acknowledgment: Within 48 hours of receiving your report
  • Triage: Within 5 business days, we will assess the severity and assign a priority
  • Resolution: Critical vulnerabilities are addressed within 7 days; high-severity within 30 days; medium and low within 90 days
  • Notification: You will be notified when the vulnerability has been resolved
Scope

In scope:

  • The Genos web application and all its subdomains
  • API endpoints and authentication mechanisms
  • Data encryption and access control systems
  • Third-party integrations within our control

Out of scope:

  • Social engineering attacks (phishing, pretexting, etc.)
  • Denial of service (DoS/DDoS) attacks
  • Physical security of offices or data centers
  • Vulnerabilities in third-party services not operated by Genos (e.g., Supabase, Vercel, Stripe)
  • Attacks requiring physical access to a user's device
Safe Harbor

We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action against researchers who:

  • Act in good faith to avoid privacy violations, data destruction, and service disruption
  • Only interact with accounts you own or with explicit permission from the account holder
  • Do not exploit a vulnerability beyond what is necessary to demonstrate it
  • Report the vulnerability promptly and do not disclose it publicly until we have had a reasonable opportunity to address it
  • Do not use automated scanning tools that generate significant traffic or could degrade service

If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will take steps to make it known that your actions were conducted in accordance with this policy.

This policy is effective as of March 2026 and may be updated periodically. Questions about this policy can be directed to security@genos.app.