Trust · Security
Vulnerability Disclosure Program
If you've found a security issue in GeoClear, please report it. We commit to a fair, transparent, and timely process, and we publicly credit researchers who help us harden the platform.
tl;dr, Email security@geoclear.io with details + repro steps. Acknowledgement within 72 hours. Public credit on resolution if you want it. Don't pivot, don't exfiltrate beyond proof-of-concept, don't pen-test third parties.
Scope, in
- Production hosts:
geoclear.io,api.geoclear.io,*.geoclear.io - The
@geoclear/verify-receiptnpm package and its source repository - Public JWKS endpoint
/.well-known/jwks.json - MCP server endpoints
/mcp,/mcp/* - x402 payment-handling endpoints
- Stripe webhook signature handling on
/v1/webhook/stripe
Scope, out
- Sub-processor systems (AWS console, Stripe dashboard, Cloudflare DNS, etc), report to those vendors directly
- Social engineering of GeoClear staff or customers
- Physical attacks on infrastructure
- DoS / volumetric DDoS testing, please don't
- Reports auto-generated by static scanners with no manual validation (e.g. raw SSL Labs report, security-headers grade C, etc), these are noise unless you can show concrete impact
- Self-XSS, missing rate-limiting on already-auth'd endpoints, EXIF/metadata in user-uploaded images (we don't accept uploads), missing security headers on
/.well-known/jwks.json(CORS by design)
Reporting channels
- Email: security@geoclear.io (PGP key on request)
- RFC 9116: our security.txt at
/.well-known/security.txt - GitHub security advisory: for issues in the verify-receipt package, file via the GitHub repo's Security tab
Our commitments
- Acknowledge your report within 72 hours
- Triage and respond with severity assessment within 5 business days
- Fix CRITICAL + HIGH severity within 48 hours of confirmation; MEDIUM within 30 days; LOW within 90 days
- Public credit in our security advisory + a Hall of Fame listing on this page (with your permission)
- No legal action against good-faith researchers operating within scope (safe-harbor below)
Safe harbor
GeoClear will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
- Do not exfiltrate data beyond what's needed to demonstrate the vulnerability
- Do not exploit findings for personal gain (or share them publicly before our remediation timeline)
- Report findings privately to security@geoclear.io and allow reasonable time for remediation
Bug bounty
GeoClear does not currently operate a paid bounty program. We are evaluating launching one in 2026-Q4 once volume justifies it. In the meantime, we offer:
- Public credit + Hall of Fame listing on resolution
- Swag (sticker pack) for any in-scope finding rated MEDIUM or higher
- Direct introduction to our hiring pipeline if the finding demonstrates exceptional skill
Hall of Fame
No public disclosures yet. Be the first.
Last updated: 2026-04-26 · Policy version: v1.0