Skip to main contentNeed help right now? Open the resource map — no signup, no ID, no questions →
← Guardians of the AV

Security & Disclosure

Security disclosure policy

Last updated 2026-05-27

What this page is

This is the coordinated-disclosure policy for Guardians of the AV. It tells security researchers, ethical hackers, students, and county CISO staff how to report a vulnerability to us, what we promise in return, and where the boundaries of in-scope testing are. It is the public version of the disclosure process we follow internally. The repository-root SECURITY.md file mirrors this page in shorter form. Companion documents are the privacy policy, the ethics commitments, and docs/legal/ciso_data_architecture_diagram.md in the repository.

The structure of this policy follows ISO/IEC 29147 (vulnerability disclosure) and the public-facing baselines set by the Electronic Frontier Foundation's "Who Has Your Back" criteria and the security pages of Cloudflare, 1Password, and Stripe.

For requests that arrive as records demands rather than vulnerability reports — California Public Records Act inquiries (Cal. Gov. Code §§ 7920-7930), subpoenas, or partner-agency CPRA exposure where the request mentions us — see the public-records request runbook at docs/operations/public_records_request_runbook.md in the repository. The full transparency catalog lives at /transparency.

Reporting a vulnerability

Send the report to security@guardiansofsolano.com. Include enough detail for us to reproduce the issue: the URL or endpoint, the steps, the expected vs. actual behavior, and any proof-of-concept artifacts. Screenshots and short screen recordings help. If you have a CVSS estimate, include it; if not, that's fine.

PGP encryption. A PGP public key for security@guardiansofsolano.com is part of the Phase 1.5 operations setup and is not yet published. Until it is, send reports in clear text to the address above; do not send exploit code, customer data, or sensitive evidence in the body — link to a password-protected file and share the password out-of-band, or wait for the PGP key to be posted here.

Response SLA. We will acknowledge receipt of your report within 5 business days. We will follow up with a triage assessment and remediation plan within 14 days of acknowledgment. If we miss either window, you can escalate by re-emailing the same address with SLA missed in the subject line.

Scope

The following assets are in scope for good-faith security research under this policy:

  • The production site at guardiansofsolano.com and all subdomains we operate.
  • The Supabase Postgres and Storage instance reachable through the public application surface (our project, our policies — not Supabase's infrastructure).
  • Our Vercel-hosted serverless functions and route handlers (apps/web/app/api/*).
  • Our Twilio Verify integration surface — i.e. the way our app calls Twilio, the way OTP flows are validated, and any webhook receivers on our side.
  • Our Stripe integration surface — webhook signing, donation flows, credit-issuance bookkeeping on our side.

The following are explicitly out of scope:

  • Vercel, Supabase, Twilio, and Stripe platform infrastructure. Report those directly to the respective vendors' security programs.
  • Social engineering of our staff, our volunteers, our lived-experience advisors, or our partner-organization contacts.
  • Denial-of-service tests, volumetric attacks, or load testing against the live site. We are a small Phase 0 alpha; please do not.
  • Brute force or credential stuffing against our sign-up or sign-in endpoints. Phone-OTP enumeration is also out of scope.
  • Any testing that is not isolated to a test account you personally control.
  • Any test that touches, exposes, modifies, or attempts to de-anonymize another user's data — and especially any record marked confidential=true or any data flowing through the domestic-violence or Family Justice Center referral path. See the DV-survivor carve-out below.
  • Findings already documented as known gaps on /ethics with a phase label — those are tracked, not novel.

Safe harbor for good-faith research

If you act in good faith under this policy — meaning you stay within the scope above, you do not access or alter other users' data, you do not exfiltrate data beyond the minimum needed to prove the vulnerability, and you report what you find promptly to security@guardiansofsolano.com — then Guardians of the AV commits to the following:

  • We will not pursue civil action against you, and we will not support a criminal complaint against you, for activity that complies with this policy. This includes activity that would otherwise be technically covered by the federal Computer Fraud and Abuse Act, the California Comprehensive Computer Data Access and Fraud Act (Cal. Penal Code §502), the Digital Millennium Copyright Act's anti-circumvention provisions, or any similar law.
  • We will not share your identifying information with law enforcement unless we are compelled by a lawful warrant or court order. Reference baseline: the Electronic Frontier Foundation's "Who Has Your Back" principles.
  • We will not publish, dox, or otherwise expose your personal information in connection with your report. If we credit you on the acknowledgments list below, it is only with your explicit consent and only with the name or handle you specify.
  • If a third party (e.g. a partner organization, a payment processor, or a law-enforcement agency) initiates action against you for activity that was within the scope of this policy, we will make a good-faith effort to clarify with them that your research was authorized under this policy.

This safe-harbor language describes our intent and our policy commitment. It is not yet a binding legal release reviewed by outside counsel. Counsel review is scheduled as part of the Phase 1.5 operations setup. Researchers who want a stronger written assurance before testing should email us — we will treat that request seriously and we will not retaliate for asking.

Coordinated 90-day disclosure window

We follow a coordinated-disclosure model consistent with ISO/IEC 29147:

  1. You report to us.
  2. We acknowledge within 5 business days and provide a triage assessment within 14 days of acknowledgment.
  3. We work to remediate. We will keep you updated at reasonable intervals.
  4. You may publish your finding 90 days after our acknowledgment, or as soon as we ship the fix, whichever comes first. You do not need our permission to publish at that point.
  5. If we need an extension beyond 90 days — for example, because the fix requires coordination with a partner — we will tell you why and negotiate in good faith. We will not use extension requests to indefinitely suppress a finding.

The DV-survivor carve-out below overrides this window for the paths it covers.

DV-survivor path — 24-hour carve-out

Any finding that involves the domestic-violence or Family Justice Center referral path, any resource marked confidential=true, or any code path that could re-identify a domestic-violence survivor, should be reported immediately to security@guardiansofsolano.com with DV-PATH URGENT in the subject line. The standard 90-day window does not apply. We commit to patching within 24 hours of confirmation and to notifying the affected partner organizations the same day. Public disclosure of the finding is held until the affected partners have been notified and a fix is live, regardless of the standard window.

What we don't offer (yet)

Honest list, so researchers know what to expect:

  • No monetary bug bounty in Phase 0. We are a pre-501(c)(3) nonprofit running on a small donation base. A monetary bounty program is a Phase 2+ commitment, contingent on the 501(c)(3) operating budget supporting it.
  • Hall-of-fame credit on this page, with your consent and under whatever name or handle you choose.
  • LinkedIn endorsement or a written professional reference from the founders for serious findings, on request.
  • No automated triage bot. Reports are read by a human (currently the founder). That means responses come from a person, not a queue.

What we do not have today

We don't want to misrepresent our security posture. As of the last-updated date above, Guardians of the AV does not operate a Security Information and Event Management (SIEM) platform, a dedicated Web Application Firewall beyond Vercel's platform defaults, an internal red team, a 24/7 on-call rotation, or formal SOC 2 / ISO 27001 certification. We rely on the platform-level controls of Vercel, Supabase, Stripe, and Twilio; on row-level security in Postgres; on append-only audit logs on admin actions; and on the structural commitments described in /ethics. Upgrading this posture is scoped for Phase 1.5 and Phase 2.

Acknowledgments

Researchers who report valid findings under this policy and who consent to public credit are listed here. The list is currently empty because the policy is new. As reports come in and fixes ship, names or handles will appear below with the month of the report.

No acknowledgments yet.

How this page changes

Material changes are recorded in git history at apps/web/app/security/page.tsx. The repository-root SECURITY.md is kept in sync with this page. Changes that weaken the safe-harbor commitment or the 24-hour DV-path carve-out require sign-off from both founders (Aaron Turner and Anadora Turner) and, once seated (Phase 1.5), the ethics advisory board.

© 2026 Guardians of the AV · Operator-built. Field-validated. Dignity-first.
TermsPrivacySecurityEthicsInstagramYouTube
Housing & social services:211Suicide & crisis:988LA County Mobile Crisis:(800) 854-7771LA County domestic violence:(661) 945-6736National domestic violence:1-800-799-7233
Security disclosure policy — Guardians of the AV