Our Commitment to Security

We are committed to maintaining the highest standards of security across our platform. We welcome the support of the security research community and encourage responsible disclosure of vulnerabilities that help us protect our users, partners, and infrastructure.

This program does not offer monetary rewards or service credits. Instead, we provide:

• Safe Harbor protections

• Transparent communication

• Public recognition for impactful contributions

1. Scope of Testing

Testing is permitted only on systems we own and operate.

In Scope

• Web applications

• APIs and backend services

• Authentication and session management flows

• Mobile applications and associated backend endpoints

• Publicly accessible subdomains and cloud resources

Out of Scope

• Denial‑of‑service attacks

• Social engineering

• Physical security testing

• Third‑party systems

• Automated scanning that degrades performance

• Accessing or modifying data that does not belong to you

2. Rules of Engagement

To ensure safe and responsible testing:

• Do not disrupt services or degrade performance

• Do not access or modify data belonging to others

• Stop immediately if you encounter sensitive data

• Use only accounts you own or are authorised to test

• Do not publicly disclose vulnerabilities before we confirm a fix

• Do not attempt to pivot into third‑party systems

Researchers acting in good faith and following this policy are protected under our Safe Harbor commitment.

3. How to Report a Vulnerability

A valid report should include:

• Clear description of the vulnerability

• Step‑by‑step reproduction instructions

• Impact assessment

• Proof‑of‑concept (screenshots, payloads, or videos)

• Your contact details

If you believe you’ve discovered a security vulnerability, please contact our security team at: 

Security[at]galileo[dot]ai 

We encourage encrypted communication where possible.

We acknowledge reports within 48 hours and provide updates throughout the triage process.

4. Triage & Validation Process

Our security and engineering teams follows a structured workflow:

• Acknowledge the report

• Validate and reproduce the issue

• Classify severity

• Communicate status updates

• Deploy a fix

• Invite the researcher to retest

5. Severity Matrix

Severity reflects impact, not attacker identity.

6. Safe Harbor

We will not pursue legal action against researchers who:

• Act in good faith

• Follow this policy

• Avoid privacy violations

• Avoid service disruption

• Provide reasonable time for remediation

7. Responsible Disclosure Framework

Submission Requirements

• Description

• Reproduction steps

• Impact analysis

• Proof‑of‑concept

• Suggested remediation (optional)

Remediation SLAs

• Critical: Immediate

• High: 7 days

• Medium: 14–30 days

• Low: 30–90 days

Disclosure Timeline

• Public disclosure permitted only after we confirm the fix

• Extensions may be requested for complex issues

8. Researcher Recognition

We value the contributions of the security community. Researchers who responsibly disclose vulnerabilities may be:

• Offered a job interview with our CTO or engineering leaders

• Invited to private testing programs

• Acknowledged publicly (with consent)

9. FAQs

Do you offer monetary rewards / bug bounties?  

No. This is a no‑reward Responsible Disclosure Program. For recognition, please refer to the Researcher Recognition section.

Can I disclose the vulnerability publicly?  

Only after we confirm the fix.

What if I accidentally access sensitive data?  

Stop immediately and report it. Acting in good faith protects you.

Do insider‑only vulnerabilities count?  

Yes — severity is based on impact, not attacker identity

10. Contact Us 

If you believe you’ve discovered a security vulnerability, please contact our security team at: security[at]galileo[dot]ai 

We encourage encrypted communication where possible.