Security

Vulnerability Disclosure Policy

Effective date: May 1, 2026

Gigacatalyst welcomes contributions from the security research community. If you believe you have found a security vulnerability in any Gigacatalyst-owned service, we encourage you to report it through our coordinated disclosure process.

How to Report

Send vulnerability reports to:

[email protected]

Please include:

  • 1.A description of the vulnerability, including the affected service or endpoint
  • 2.Step-by-step instructions to reproduce the issue
  • 3.The potential impact or severity in your assessment
  • 4.Any supporting material: proof-of-concept code, screenshots, HTTP requests/responses
  • 5.Your preferred contact method for follow-up communication

Our Response

2 daysWe will acknowledge receipt of your report
5 daysWe will provide an initial assessment and severity classification
OngoingWe will keep you informed of remediation progress and notify you when the issue is resolved

Scope

In Scope

  • • gigacatalyst.com and all subdomains
  • • Gigacatalyst APIs and backend services
  • • Builder and app generation infrastructure
  • • Authentication and session management

Out of Scope

  • • Social engineering of employees or customers
  • • Denial of service (DoS/DDoS) attacks
  • • Physical attacks against offices or data centers
  • • Third-party services not operated by Gigacatalyst
  • • Issues already reported and under active remediation

Safe Harbor

Gigacatalyst will not pursue legal action against security researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, and disruption to our services
  • Do not access or modify data belonging to other users
  • Report vulnerabilities promptly and do not publicly disclose before remediation
  • Do not exploit a vulnerability beyond what is necessary to demonstrate the issue

Recognition

We believe in recognizing the work of security researchers. With your permission, we will publicly credit you when a vulnerability is resolved. We do not currently offer a paid bug bounty program, but we are grateful for responsible disclosures that help keep our customers safe.

Contact

For security-related inquiries that are not vulnerability reports:

Email: [email protected]

For DPA requests, compliance questions, or to schedule a security review call, reach us at the same address.