Vulnerability Disclosure Policy

1. Introduction

Glacier Byte Technology LLC welcomes good-faith security research that helps identify vulnerabilities in our systems before they can be exploited. We treat responsible disclosure as a contribution to the security of our customers and operations, and we are committed to working with researchers who identify issues in our production environment.

This policy defines the scope of authorized research, the rules of engagement, and how to report findings. If you have discovered a potential vulnerability, please read this policy in full before taking any action or submitting a report.

2. Scope

In scope

The following GBT-operated systems are in scope for authorized research under this policy:

• The public marketing website at glacierbytetechnology.com
• The client portal at portal.glacierbytetechnology.com

Out of scope

The following are explicitly outside the scope of this policy. Testing or reporting issues in these areas is not authorized under this policy and will not be treated as good-faith research:

• Third-party services or platforms used by GBT (report those findings to the respective vendor)
• Any systems, domains, or infrastructure not owned or operated by Glacier Byte Technology
• Physical security of GBT premises or facilities
• Social engineering of GBT personnel or customers
• GBT on-premises corporate infrastructure

3. Rules of engagement

Authorized research under this policy must be strictly non-destructive. You agree to the following conditions as a prerequisite for safe-harbor protections:

• Do not degrade, disrupt, or deny service to any GBT system or its users
• Remain within the systems listed in scope; do not pivot to out-of-scope targets
• Use only test accounts or your own accounts for testing; do not test against accounts belonging to others
• Do not access, modify, copy, or exfiltrate data that does not belong to you
• If you encounter data that appears to belong to a third party or a GBT customer, stop immediately and report it without accessing the data further
• Do not retain copies of any sensitive data encountered during research

4. Prohibited actions

The following actions are prohibited regardless of intent. Engaging in any of these will void safe-harbor protections under this policy:

• Denial-of-service (DoS/DDoS) attacks or load testing against production systems
• Automated high-volume scanning or fuzzing of production endpoints
• Social engineering or phishing directed at GBT personnel or customers
• Physical intrusion attempts against GBT facilities
• Submission of spam or resource-exhaustion payloads through the contact form or other input channels
• Accessing, altering, or destroying data belonging to GBT or its customers
• Public disclosure of a vulnerability prior to coordinated resolution with GBT

5. Safe harbor

Security research conducted in good faith and in strict compliance with this policy is authorized by Glacier Byte Technology. We will not pursue or support civil or criminal action against researchers for activity that conforms to this policy, and we will treat such activity as authorized access under the Computer Fraud and Abuse Act (CFAA) and analogous state and international statutes.

This policy constitutes the authorized carve-out to the prohibition on violating or attempting to violate the security of our website stated in Section 3.2 of our Terms of Service. Research that conforms to this Vulnerability Disclosure Policy is not a violation of those Terms.

If you are uncertain whether a planned action falls within the authorized scope of this policy, contact us at security@glacierbytetechnology.com before proceeding. We would rather answer the question in advance than have a well-intentioned researcher unknowingly step outside the authorized boundary.

6. How to report

Submit vulnerability reports by email to security@glacierbytetechnology.com. Encrypted submissions are available on request — a PGP key for encrypted reports can be provided by contacting that address.

Include as much of the following as is available:

• The affected URL, endpoint, or component
• Vulnerability type (e.g., XSS, IDOR, authentication bypass)
• Step-by-step reproduction instructions
• Assessed impact and any affected data
• Proof-of-concept code or screenshots, if applicable and safe to share
• Your preferred contact information for follow-up

Do not include sensitive customer data or credentials in your report. If reproduction requires demonstrating access to sensitive data, describe the access path and stop short of extracting or transmitting the data itself.

7. Response targets

The following are targets, not contractual service-level agreements. We will make reasonable efforts to meet them for reports that adhere to this policy:

• Acknowledgment: We aim to acknowledge receipt of your report within approximately 3 business days.
• Triage assessment: After validating the report, we will provide an initial assessment and an expected remediation timeline.
• Status updates: We will keep you informed of progress through remediation.
• Coordinated disclosure: We will coordinate the timing of any public disclosure with you. We ask that you allow us reasonable time to remediate before public release.

Glacier Byte Technology does not currently offer monetary rewards (bug bounties) for vulnerability disclosures. We do acknowledge researchers who report valid findings, subject to their preference for attribution.

8. Contact

Security disclosures and questions about this policy should be directed to: