Security Policy

GigaTap security policy with vulnerability disclosure expectations and security contact guidance.

/security-policy GigaTap policy

Security Policy

First published: February 27, 2026
Last updated: February 27, 2026

1. Scope#

This Security Policy applies to:

  • https://gigatap.top
  • https://docs.gigatap.top

Operational security procedures for VPN infrastructure at https://vpn.gigatap.top are managed under separate service documentation.

2. Reporting Security Issues#

Primary reporting channel:

  • https://t.me/GigaTapVPN_Support_Bot

Encrypted reporting key:

  • https://gigatap.top/.well-known/pgp-key.asc
  • PGP fingerprint: 7826 28E8 5DE1 82A4 9A75 6ACF 806B A3F2 7F45 F7D9

Please include:

  • affected URL/path,
  • reproducible steps,
  • proof-of-concept or logs,
  • impact assessment,
  • suggested mitigation if available.

3. Response SLA#

  • Acknowledgement target: within 72 hours.
  • Triage and severity classification: as soon as practical after acknowledgement.
  • Fix and disclosure timing depends on severity, exploitability, and operational constraints.

4. Responsible Disclosure#

We request coordinated disclosure:

  • do not publicly disclose exploitable details before remediation or coordination,
  • provide reasonable time for validation and patching,
  • avoid privacy-impacting publication of user data.

5. Safe Harbor (Good Faith Research)#

We support good faith security research when testing stays within legal and ethical boundaries and avoids user harm.

We consider activities out of scope if they involve:

  • social engineering of staff/community,
  • physical attacks,
  • denial-of-service attacks,
  • spam or destructive testing,
  • unauthorized access to third-party infrastructure.

6. Security Controls Overview#

Current controls include, among others:

  • HTTPS and HSTS enforcement,
  • strict security headers,
  • Content Security Policy with controlled script/connect/frame sources,
  • Permissions-Policy hardening,
  • dependency and supply-chain monitoring in build workflow,
  • segmented optional third-party scripts behind user consent.

7. Incident Handling#

We maintain incident response runbooks and prioritize containment, impact reduction, and service recovery.

Depending on incident type, actions may include:

  • temporary feature restriction,
  • key/token rotation,
  • infrastructure hardening,
  • post-incident review and control updates.

8. Dependency and Platform Security#

Application security also depends on third-party providers and libraries. We regularly update dependencies and may deprecate integrations that no longer meet security or privacy standards.

9. Policy Updates#

This policy is updated as architecture, legal requirements, or threat models evolve. The “Last updated” date marks the current version.

  • Privacy Policy: /privacy-policy
  • Security contact file: /.well-known/security.txt
  • PGP key: /.well-known/pgp-key.asc