Responsible Disclosure of Security Issues

We welcome the community to help contribute to the security of our platform and the Giant Swarm ecosystem.

To report a vulnerability, abuse, or for security-related inquiries, please send an email to security@giantswarm.io.

If you have a sensitive issue, you can encrypt your message using our PGP key.

We appreciate you choosing to contact us directly with your concerns. We are committed to protecting our users and our customers, and will act quickly to investigate and respond to your report.

Following your report, Giant Swarm will:

- acknowledge your email within 48 business hours
- reach out to you for additional information if necessary
- notify you when the problem has been resolved

Giant Swarm does not have a bug bounty program at this time, but we would be happy to publicly credit you for the finding and send you some swag as a small thank you.

If you would like to be credited, please include the name, nickname, and/or GitHub username you would like us to reference, as well as your shipping information for us to send your Giant Swarm gear.

Thank you for reporting responsibly!

Scope

Our public website (giantswarm.io) and its subdomains do not serve any user login, account management, or otherwise sensitive content. For that reason, the following areas and findings are currently out of scope:

- Clickjacking on any giantswarm.io page

- The Content-Security-Policy header

- The X-XSS-Protection header

- The HSTS header/mixed HTTP(S) content

Additional out-of-scope findings:

- Contact form rate limits