Security
Responsible Disclosure
Effective March 16, 2026
We take the security of GEM²-AI seriously. If you discover a security vulnerability, we appreciate your help in disclosing it to us responsibly. This page describes our scope, reporting process, and safe harbor commitments.
Scope
This disclosure policy covers the following GEM²-AI services:
In Scope
- ✓TPMN Checker (MCP server and OAuth cloud endpoint)
- ✓User Management service (authentication, account management)
- ✓gemsquared.ai website
Out of Scope
- ×Third-party LLM providers (Anthropic, OpenAI, Google) — report to them directly
- ×Fly.io infrastructure — report to Fly.io
- ×Social engineering attacks against GEM² employees
- ×Denial-of-service attacks
How to Report
Send vulnerability reports to:
Subject line: [SECURITY] Brief description
Please include:
- •A description of the vulnerability and its potential impact
- •Steps to reproduce the issue
- •Any proof-of-concept code or screenshots
- •Your preferred method of contact for follow-up
What to Expect
Acknowledgment — within 48 hours
We will confirm receipt of your report and assign a tracking identifier.
Assessment — within 7 days
We will evaluate the severity and scope of the vulnerability and communicate our assessment.
Resolution — target 30 days
We will work to fix the vulnerability and notify you when a patch is deployed.
Safe Harbor
We will not pursue legal action against researchers who:
- •Act in good faith to discover and report vulnerabilities
- •Avoid accessing, modifying, or deleting data belonging to other users
- •Do not disclose the vulnerability publicly before we have had a reasonable opportunity to address it
- •Do not exploit the vulnerability beyond what is necessary to demonstrate it
Recognition
We believe in recognizing security researchers who help us improve. With your permission, we will credit you for valid reports. We do not currently offer a monetary bug bounty program, but we reserve the right to introduce one in the future.