Security & Responsible Disclosure

Effective Date: May 27, 2026 · Operated by Valaya AI Technologies

Contact

Send security reports to [email protected] with the subject line beginning [security]. The machine-readable contact is published at /.well-known/security.txt.

simplegrid.ai and all sub-paths (this marketing site).
The SimpleGrid product platform served from customer-specific subdomains.
The free productive tools at /tools/ (everything runs in the browser; we still want to hear about XSS, mixed-content, or CSP-bypass findings).

Out of scope: third-party hosted dependencies (PostHog, GA4, cal.com, GitHub Pages, Cloudflare) - please report those to their respective programs.

Give us a reasonable window (we target 14 days for initial triage) before public disclosure.
Don't run automated scans that generate >100 requests/minute against our origins.
Don't access, modify, or exfiltrate data belonging to anyone but yourself.
Don't social-engineer SimpleGrid employees, partners, or customers.

Acknowledgement of your report within 2 business days.
An initial severity assessment + remediation plan within 14 days.
Credit in our release notes if you'd like attribution.
For valid findings on the SimpleGrid product, a bounty paid in USD via the channel of your choice. Amount scales with severity (CVSS) and impact.

Documented for transparency:

HTTPS everywhere with HSTS (max-age = 1 year).
Strict Content-Security-Policy declared on every page (default-src 'self', explicit allowlist for analytics + form-submit + CDN).
X-Content-Type-Options: nosniff via meta http-equiv (GitHub Pages constraint).
Referrer-Policy: strict-origin-when-cross-origin.
Permissions-Policy disabling geolocation, microphone, camera, and payment.
Analytics is deferred to first user interaction; nothing fires before consent.
The product platform uses per-tenant isolated PostgreSQL databases (no shared multi-tenant table).

None published yet. As soon as we close a reported issue with attribution, it lands here.