Skip to main content

Supported Versions

ComponentVersionSupported
Protocol specv1.0Yes
@grantex/sdk0.1.xYes
grantex (Python)0.1.xYes
@grantex/langchain0.1.xYes
@grantex/autogen0.1.xYes
@grantex/vercel-ai0.1.xYes
grantex-crewai0.1.xYes
@grantex/cli0.1.xYes
If you are running a version not listed above, please upgrade before reporting.

Reporting a Vulnerability

Do not open a public GitHub issue for security vulnerabilities.
Send a report to security@grantex.dev with:
  • A clear description of the vulnerability and its potential impact
  • The affected component(s): auth-service, sdk-ts, sdk-py, cli, or SPEC.md
  • Steps to reproduce or a minimal proof-of-concept
  • Any suggested mitigations you have identified
Encrypt sensitive reports with the PGP key at https://grantex.dev/.well-known/security.asc.

Response SLA

StageTarget
Acknowledgement48 hours
Substantive response7 business days
Patch (Critical / High)30 days from confirmation
Patch (Medium / Low)Next scheduled release

Coordinated Disclosure

  1. Reporter submits vulnerability to security@grantex.dev
  2. Triage, reproduce, and confirm within 7 business days
  3. Develop and test a fix, keeping the reporter in the loop
  4. Publish a patched release and a CVE (if applicable)
  5. Reporter is credited (or anonymously, at their choice) in release notes
  6. Reporter may publish their write-up 30 days after the patch ships

Scope

In scope

ComponentExamples
auth-serviceToken issuance, verification, revocation, delegation
sdk-tsClient-side token handling, JWT verify
sdk-pySame surface as sdk-ts
langchainScope enforcement, audit callbacks
autogenFunction registry, scope enforcement
vercel-aiTool scope checks, audit logging
crewaiTool scope enforcement
cliCLI tool, credential handling
portalDeveloper portal, auth flow, API key handling
SPEC.mdProtocol design flaws

Out of scope

  • Vulnerabilities in third-party dependencies (report upstream; let us know so we can track)
  • Physical access attacks
  • Social engineering
  • Denial-of-service attacks against hosted infrastructure
  • Findings requiring existing admin credentials with no privilege escalation
  • Automated scanner output without evidence of exploitability

Bug Bounty

We do not currently operate a formal bug bounty programme. Impactful reports are recognized publicly in release notes and on the Hall of Thanks.