← Back to App

Security & Responsible Disclosure

Gia Marine Intelligence LLC

Our Commitment

We take the security of our systems and the safety of our customers' data seriously. We welcome reports from independent security researchers, customers, and the broader community, and we will work with you in good faith to investigate, remediate, and credit verified findings.

Scope

Issues reported under this policy must affect one of the following Gia Marine Intelligence assets:

• giamarine.com and any subdomain we operate
• owners-manual-assistant.onrender.com (Render production deployment)
• The Gia Marine FastAPI backend API endpoints
• The Gia Marine web application (static/index.html and related assets)

Out of scope

Issues in the following are out of scope for this disclosure program, though we still appreciate hearing about them:

• Third-party services we use as subprocessors. Report directly to those vendors using their respective disclosure programs (see /subprocessors).
• Issues in software we run but did not write (FastAPI, PostgreSQL, etc.) unless we have introduced a misconfiguration.
• Best-practice recommendations without a demonstrable vulnerability (e.g., "you don't have header X"). We are interested if you can demonstrate exploitation.
• Issues that require physical access to a victim's device, social engineering of Gia Marine staff, or non-default browser configurations.
• Vulnerabilities affecting outdated browsers or operating systems.
• Denial-of-service attacks (rate-limit testing should be coordinated in advance).
• Content of underlying manufacturer manuals (factual errors, omissions). Report those to the manufacturer.

What to Include in a Report

To help us triage and respond quickly, please include:

• A clear description of the vulnerability and its security impact;
• The asset affected (URL, endpoint, or component);
• Steps to reproduce, with screenshots or video if useful;
• Any proof-of-concept code or commands (clearly marked as such);
• Your assessment of the severity (CVSS score appreciated but not required);
• Whether you are willing to be publicly credited if we publish an advisory.

Safe Harbor

Gia Marine Intelligence considers security research conducted in accordance with this policy to be:

• Authorized under the Computer Fraud and Abuse Act and similar U.S. state computer-crime statutes;
• Authorized for purposes of DMCA § 1201;
• Exempt from restrictions in our Terms of Service and Acceptable Use Policy that would otherwise interfere with conducting security research.

We will not pursue legal action against researchers who:

• Make a good-faith effort to follow this policy;
• Avoid privacy violations, destruction of data, and interruption or degradation of the Service;
• Only interact with their own accounts or accounts they have explicit permission to test;
• Do not disclose details of the vulnerability publicly until we have had a reasonable opportunity to remediate (typically 90 days, or earlier by mutual agreement);
• Do not engage in extortion or demand payment as a condition of disclosure.

What We Will Do

• Acknowledge your report within 2 business days;
• Provide an initial assessment within 7 business days;
• Keep you informed of remediation progress;
• Credit you in any public advisory we publish (unless you request otherwise);
• Coordinate any public disclosure timing with you.

Rewards

Gia Marine does not currently operate a paid bug bounty program. We may, at our discretion, offer recognition (public credit, swag, or a discretionary thank-you payment) for high-impact reports. We will be transparent if and when a formal paid program launches.

Encryption

For sensitive reports, you may request our PGP public key in your initial email and we will respond with one. Future: a published PGP key will be linked here once SOC 2 onboarding is complete.

Machine-readable security.txt

A machine-readable contact file per RFC 9116 is available at /.well-known/security.txt.

Last updated: [DATE] · Terms of Service · Privacy Policy · Acceptable Use