Security & Vulnerability Reporting Policy
How users, churches, and researchers can report security issues safely.
Last Updated: June 16, 2026
1. Security Contact
Report security concerns to security@graceconnect.app. Include a clear description, affected page or app area, steps to reproduce if safe, screenshots if necessary, and your contact information.
2. Responsible Reporting
Do not exploit, publicly disclose, access other users’ data, modify data, interrupt services, use automated attacks, attempt privilege escalation beyond a harmless proof of concept, or test against production systems in a way that harms users.
3. What to Report
Report authentication bypasses, broken access controls, exposed secrets, unauthorized data access, insecure storage, public sensitive files, account takeover risks, unsafe admin permissions, payment/giving link abuse, privacy leaks, and injection or cross-site scripting issues.
4. Response
Grace Connect will review reports and prioritize issues based on risk. We may request more information, apply mitigations, notify affected churches or users where necessary, and document the resolution.
5. No Reward Guarantee
Grace Connect does not currently guarantee a bug bounty or payment for reports unless a separate written agreement exists.