Security & responsible disclosure

Report an issue

If you have found a security problem in any GRRC surface — this site, the verification endpoints, or the published artifacts — or a GRRC claim that does not hold when checked, report it to security@grrc.ai.

Machine-readable pointer: /.well-known/security.txt (RFC 9116).

Try to break it yourself

GRRC's claims are engineered to be checked from the outside, without trusting GRRC. The Independent Verification Specification is complete enough to build your own verifier, and every input it needs is fetchable and mirrorable on infrastructure you control. The strongest report is one you can reproduce against those published artifacts — and if you can make a GRRC claim fail, that is exactly the kind of report this channel exists for.

What a useful report contains

A reproducible path: the URL or artifact concerned, what you expected, and what you observed. If your finding involves the verification surface, include the artifact bytes or digests you checked. Reports are read directly by the operator. There is no bug-bounty program today, and no response-time commitment is published — a small operation states that plainly rather than promising what it cannot guarantee.