Skip to content
Skip to content
Goodspeed

Security and Vulnerability Disclosure

How to report a vulnerability and what to expect from us.

Last updated: July 2, 2026

Jump to section

Goodspeed LLC ("Goodspeed") takes the security of the Service and our customers' data seriously. This policy explains how to report a vulnerability and what you can expect from us.

How to Report

Email security@goodspeed.app with a description of the issue. Where possible, include:

  • The type of issue (for example, injection, authentication bypass, exposure of data).
  • The affected URL, endpoint, or component.
  • Steps to reproduce, along with any proof-of-concept.
  • The impact you believe the issue has.

If you need to send sensitive details, ask us for a secure channel in your first message and we will arrange one.

Our Commitment

  • We will acknowledge your report promptly and keep you updated as we investigate.
  • We will work in good faith to validate, triage, and remediate confirmed issues.
  • We will let you know when the issue is resolved, and we are happy to credit you if you would like recognition.

Safe Harbor

If you make a good-faith effort to comply with this policy during your research, we will consider that research authorized, we will not recommend or pursue legal action against you, and we will not report you to law enforcement. Good faith means you:

  • Respect user privacy and do not access, modify, or retain more data than is necessary to demonstrate the issue.
  • Avoid actions that degrade, disrupt, or destroy the Service or its data (for example, denial-of-service, spam, or brute-forcing beyond what is needed to prove an issue).
  • Stay within the scope of your own account and test data, and do not pivot to other customers' data.
  • Give us a reasonable opportunity to remediate before you disclose the issue publicly.

This safe harbor does not authorize activity that is otherwise illegal, and it does not waive rights held by third parties whose systems the Service depends on.

Scope

In scope: goodspeed.app, admin.goodspeed.app, our APIs, and application subdomains we provision ({your-app}.goodspeed.app).

Out of scope: findings that require physical access to a user's device, social engineering of Goodspeed staff or customers, issues in third-party services we rely on (report those to the third party), and reports of missing best-practice hardening with no demonstrated impact.

No Paid Bounty

We do not currently operate a paid bug-bounty program. We still welcome reports and will credit researchers who want recognition.

Coordinated Disclosure

We ask that you give us a reasonable window to remediate before publishing details of a vulnerability, and that you coordinate the timing of any public disclosure with us. We will not ask for indefinite silence.

Contact

Security reports: security@goodspeed.app General legal contact: legal@goodspeed.app Postal address: Goodspeed LLC, 3844 Santa Caterina Blvd, Bradenton, FL 34211

Ready to build?

Score your ideas free. No card required.