Security

How we protect your data, and how to tell us about a vulnerability.

Gorebet takes security seriously. If you find a vulnerability, please tell us responsibly.

Our security measures

Encrypted connections

All data between the app and our servers is encrypted in transit using TLS 1.2 or higher.

Encrypted storage

Data stored on our servers is encrypted at rest.

No passwords

Account access uses one-time codes sent to your registered phone number. We do not store passwords.

Anonymous mode

Anonymous reports are permanently separated from your identity at submission. No one — including Gorebet staff — can link an anonymous report back to you.

No advertising identifiers

The Android advertising ID (Ad ID) is explicitly disabled. We do not use the iOS advertising identifier (IDFA). We do not share your data with advertising networks.

Dependency audits

We audit software dependencies in automated testing. High-severity vulnerabilities block deployments.

Our machine-readable security contact is available at /.well-known/security.txt per RFC 9116.

Report a vulnerability

If you discover a security vulnerability in the Gorebet app, website, or backend API, please report it responsibly before making it public.

How to report

Email [email protected] with: a description of the vulnerability, steps to reproduce it, and any supporting evidence (screenshots, payloads). Please do not exploit the vulnerability or access data beyond what is needed to demonstrate it.

What to expect

Acknowledgement Within 72 hours of your report.

Triage Within 14 days — we will confirm the severity and assign a fix timeline.

Critical severity Hotfix deployed within 7 days of triage.

High severity Fix within 30 days.

Medium severity Fix within 90 days.

Out of scope

Theoretical attacks without a proof of concept, social engineering attacks targeting Gorebet staff, and physical security are out of scope for this program.

To report a vulnerability: [email protected]