GA
GlueArrow
Vulnerability Disclosure Program

Found something? Tell us.

We operate broadcast infrastructure that handles real money, real audiences, and real personal data. If you have found a security issue in any GlueArrow service, please report it. We acknowledge every report within 3 business days and protect good-faith researchers under a documented safe-harbor policy.

Email security@gluearrow.comRead the full programsecurity.txt
GA-VDP-1.0Effective 2026-04-24RFC 9116 compatible

What you can expect from us

Realistic timelines we can keep, not optimistic ones we cannot. If we miss any of these, we tell you directly and explain why.

Acknowledgement

3 business days

Every well-formed report is confirmed within three business days.

Initial validation

10 business days

Severity triage and reproduction within ten business days of acknowledgement.

Critical patch

30 calendar days

Critical issues are patched within 30 days from validation.

Disclosure window

90 days

Default coordinated disclosure window from validation; flexible by agreement.

Scope

Where we welcome research, and where we ask you not to test. The full scope definition with edge cases is in the program document below.

In scope

  • gluearrow.com and all production subdomains operated by GlueArrow Inc.
  • GlueArrow Box OS — the on-premises broadcast engine (Korra OS, Linux, Windows distributions)
  • Official GlueArrow mobile and web applications
  • GlueArrow Cloud REST and WebSocket APIs documented in the API Reference
  • Software supply chain — over-the-air update channels, signed release manifests, SBOM process

Out of scope

  • Third-party services we use as sub-processors (Google Cloud, Anthropic, AudD, Restream)
  • Customer-deployed Box OS instances on customer infrastructure
  • Findings already publicly disclosed or in our public issue tracker
  • Beta, preview, and developer-preview features expressly designated as such
  • Marketing landing pages, legacy redirects, non-production environments

Safe harbor

Good-faith research conducted consistent with this policy is authorized. We will not pursue legal action against, or otherwise penalize, researchers who comply with the rules below. If a third party initiates legal action against you for authorized activity, we will take reasonable steps to make it known that your actions were authorized.

  • Test only against in-scope assets
  • Avoid privacy violations and data destruction
  • Stop at minimum proof of vulnerability
  • Coordinate disclosure before going public

Recognition

Researchers who responsibly disclose valid vulnerabilities are credited here (unless they prefer anonymity). Mention “credit me” in your report with the name or handle you would like used.

Hall of Fame

No researchers credited yet. This page will be updated as reports are validated. Want to be the first?

Send us a finding
Full program document

The complete VDP

The above tiles summarise the program. The complete document below is what we will point researchers to from the Security Whitepaper and from incident-response runbooks.

Vulnerability Disclosure Program

GlueArrow Inc. — Vulnerability Disclosure Program (VDP)

Document identifier: GA-VDP-1.0 · Effective date: 2026-04-24

1. Our Commitment

GlueArrow operates broadcast infrastructure that handles real money (advertiser billing, royalty distribution), real audiences (live broadcast), and real personal data. We take the security of that infrastructure seriously.

This Vulnerability Disclosure Program (VDP) explains how to report a security issue to GlueArrow, what to expect from us in return, and the legal protections that apply when you research our systems in good faith.

If you believe you have found a security vulnerability in any GlueArrow service or product, please report it to us through the channel described below. We welcome reports from security researchers, customers, and members of the public.

2. How to Report

Primary channel: security@gluearrow.com

PGP encryption (optional but encouraged): PGP key fingerprint and public key are available on request from the same address. We will publish the fingerprint on this page once the key has been generated and rotated through our internal process.

Response time: We acknowledge every well-formed report within 3 business days.

What to include in a report

To help us reproduce, validate, and triage as quickly as possible, please include:

  • A clear description of the vulnerability and its impact
  • The affected component (URL, IP, hostname, software version, or product)
  • Step-by-step reproduction instructions
  • Proof-of-concept code, request payloads, or screenshots where applicable
  • Your contact information and whether you would like to be credited
  • Any disclosure deadline you have in mind

We do not require a CVSS score in the initial report; we will assign one during triage.

3. Our Response Commitments

Phase Target
Acknowledgement of receipt 3 business days
Initial validation and severity triage 10 business days
Patch for critical-severity issues 30 calendar days from validation
Patch for high-severity issues 60 calendar days from validation
Patch for medium- and low-severity issues Next regular release cycle
Coordinated public disclosure window 90 days from validation by default

If we miss any of these targets, we will tell you directly and explain why. Realistic timelines beat optimistic ones we cannot keep.

For the most critical issues — those involving active exploitation, broad impact, or credential exposure — we may issue an out-of-band patch within hours and disclose immediately afterwards.

4. Scope

4.1 In scope

The following are eligible for reporting under this VDP:

  • Production web properties: gluearrow.com, app.gluearrow.com, accounts.gluearrow.com, cloud.gluearrow.com, docs.gluearrow.com, and any other subdomain of gluearrow.com operated by GlueArrow Inc.
  • GlueArrow Box OS — the on-premises broadcast engine, including the Korra OS appliance image, the Linux installer, and the Windows distribution
  • GlueArrow mobile applications — official iOS and Android apps published under the GlueArrow Inc. developer accounts
  • GlueArrow Cloud APIs — REST and WebSocket endpoints documented in the API Reference
  • Software supply chain — over-the-air update distribution channels, signed release manifests, and the Software Bill of Materials process

4.2 Out of scope

The following are not eligible under this VDP. Please do not report on them:

  • Third-party services that we use as sub-processors (Google Cloud, Anthropic, AudD, Restream). Report to those vendors directly under their own VDPs.
  • Customer-deployed instances of Box OS running on customer infrastructure (test against your own deployment instead).
  • Findings already disclosed publicly or already in our public issue tracker.
  • Findings against beta, preview, or developer-preview features explicitly marked as such — these are subject to change without notice.
  • Findings against legacy redirects, marketing landing pages, or non-production environments.
  • Vulnerabilities in third-party open-source libraries unless you can demonstrate exploitability in our deployment context.

5. Safe Harbor

GlueArrow will not pursue legal action against, or otherwise penalize, security researchers who:

  1. Make a good-faith effort to comply with this VDP;
  2. Test only against in-scope assets;
  3. Avoid privacy violations, destruction of data, denial of service, or interruption of legitimate user activity;
  4. Do not exploit a vulnerability beyond the minimum necessary to confirm it;
  5. Report the vulnerability promptly through security@gluearrow.com and do not disclose it publicly until we have agreed a coordinated disclosure date or 90 days have elapsed (whichever is earlier);
  6. Do not use the vulnerability to access, copy, or modify data that does not belong to you;
  7. Comply with all applicable laws, including the U.S. Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and equivalent laws in your jurisdiction.

We consider activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act, will not bring a DMCA claim against you for circumventing technological protection measures, and will waive any restrictions in our online terms of service that would interfere with conducting security research, but only for the purpose of conducting research consistent with this policy.

If a third party initiates legal action against you for activities conducted in compliance with this policy, we will take reasonable steps to make it known that your actions were authorized.

If you are unsure whether your planned research is consistent with this policy, contact us at security@gluearrow.com before you start. We would rather you ask.

6. Permitted and Prohibited Test Methods

6.1 Permitted

  • Manual security testing of in-scope assets at reasonable rates (no more than 100 requests per second per box for on-premises systems; no more than 10 requests per second per cloud endpoint).
  • Reverse engineering of distributed binaries for the purpose of vulnerability research.
  • Social engineering tests against your own personnel only, with their consent.
  • Reporting findings derived from publicly available source code, traffic captures from your own deployment, or vulnerability scanners run within the rate limits above.

6.2 Prohibited

  • Denial-of-service or resource-exhaustion attacks (intentionally degrading service availability).
  • Social engineering of GlueArrow personnel, customers, or partners (phishing, pretexting, vishing).
  • Physical attacks against GlueArrow facilities or hardware.
  • Posting credentials, customer data, or vulnerability details publicly before coordinated disclosure.
  • Attacks that disrupt customer broadcasts, modify customer schedules, or affect proof-of-play records.
  • Testing against third-party services we depend on.
  • Use of any vulnerability to access, copy, modify, or exfiltrate data that does not belong to you.

7. Coordinated Disclosure

The default coordinated disclosure window is 90 days from validation. We may agree a shorter or longer window in writing depending on the severity of the issue, the complexity of the fix, and the risk of premature disclosure.

After the patch is released, we will publish:

  • A release note in the changelog at https://docs.gluearrow.com/changelog
  • A security advisory if the vulnerability had material impact on customers
  • Acknowledgement of the reporter in the security advisory and on the Recognition page below, unless the reporter has requested anonymity

If you intend to publish your own write-up, please send us a draft for review at least 5 business days before publication. We will not request changes to your wording; we only want to ensure that no still-vulnerable customer is exposed before the fix has propagated.

8. What We Do Not Offer (Yet)

We are honest about what we are not yet ready for:

  • No paid bug bounty program at this time. We may launch one in the future; for now, recognition is non-monetary.
  • No formal SLA-backed program for low-severity issues. Cosmetic, theoretical, or research-grade findings will be acknowledged but may not be patched quickly.
  • No swag program while we are at this scale. We will revisit when reporter volume justifies it.

9. Recognition (Hall of Fame)

The following researchers have responsibly disclosed valid vulnerabilities to GlueArrow. Thank you.

No researchers credited yet — this page will be updated as reports are validated.

To request an entry, mention "credit me" in your initial report and provide the name or handle you would like to use.

10. Out-of-Scope Issues

We do not consider the following to be vulnerabilities under this VDP. Reports on them will be acknowledged for completeness but will be closed without further action:

  • Self-XSS that requires the victim to paste content into their own browser console
  • Missing security headers on assets that do not handle sensitive data (e.g. Strict-Transport-Security on the marketing page)
  • CSP wildcards on pages that do not host user-generated content
  • Missing rate limits on endpoints that have been intentionally left unrate-limited (please ask if unsure)
  • Outdated software banners on services that we have already mitigated through other controls
  • Theoretical clickjacking without demonstration of meaningful impact
  • Tab-nabbing on links to first-party content
  • Missing DMARC / SPF / DKIM on subdomains we do not send mail from
  • Findings reproduced only by browser plugins, antivirus tools, or custom proxies that modify the page outside the user's normal browser
  • Best-practice deviations that do not present a real risk

If you believe one of the above represents a real exploitable issue in our environment, please explain the impact and chain in your report.

11. Attribution and Updates

This program is loosely modelled on industry-standard frameworks including disclose.io and the recommendations of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive 20-01.

We may update this policy from time to time. The current version is always at https://gluearrow.com/security. Material updates will be reflected in the document version (GA-VDP-x.y) at the top of the page.

12. Contact

  • Vulnerability reports: security@gluearrow.com
  • General security questions: same address
  • Postal address: GlueArrow Inc., 1111B S Governors Ave # 50266, Dover, DE 19904, United States

For everything outside of security: support@gluearrow.com (operations) or enterprise@gluearrow.com (commercial).

GlueArrow Inc. — 1111B S Governors Ave # 50266, Dover, DE 19904, United States