Vulnerability Disclosure Policy
Huddle01 Cloud is operated by Graphene 01 Inc.
To help us triage and respond quickly, please include:
Description of the vulnerability and its potential impact
Steps to reproduce or proof-of-concept code
Affected systems (URLs, API endpoints, services)
Your assessment of severity (Critical/High/Medium/Low)
Any supporting materials (screenshots, logs, videos)
Your contact information for follow-up
We'll keep you informed throughout the process and notify you when the vulnerability has been remediated.
huddle01.cloud and *.huddle01.cloud
Huddle01 Cloud API (api.huddle01.cloud)
Huddle01 Cloud Dashboard and web applications
Authentication and authorization systems
Network isolation between tenants
Data exposure or leakage vulnerabilities
The following are not eligible for this program:
Attacks requiring physical access to user devices
Social engineering (phishing, vishing, etc.) against Huddle01 employees or users
Denial of Service (DoS/DDoS) attacks
Attacks against third-party services we use (report to them directly)
Vulnerabilities in customer applications hosted on Huddle01 Cloud
Attacks requiring compromised user accounts (unless demonstrating an escalation)
Automated scanning output without demonstrated impact
Missing security headers without demonstrated exploit
SSL/TLS configuration issues without demonstrated exploit
Clickjacking on pages with no sensitive actions
CSRF on logout or other low-impact actions
Email spoofing (SPF/DKIM/DMARC configuration)
Vulnerabilities in outdated browsers or plugins
Content injection without demonstrated impact
To ensure a safe and legal research process, we ask that you:
Do:
Act in good faith and avoid privacy violations, data destruction, or service disruption
Only interact with accounts you own or have explicit permission to test
Stop testing and report immediately if you access user data
Give us reasonable time to resolve issues before any public disclosure
Use the minimum access necessary to demonstrate the vulnerability
Don't:
Access, modify, or delete data belonging to other users
Perform actions that could harm the availability of our services
Use automated tools that generate significant traffic
Publicly disclose vulnerabilities before we've had time to address them
Engage in extortion or threats
We consider security research conducted in accordance with this policy to be:
Authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws
Exempt from DMCA restrictions on circumvention of security measures
Lawful and conducted in good faith
We will not pursue legal action against researchers who:
Follow this policy and act in good faith
Avoid privacy violations and data destruction
Do not exploit vulnerabilities beyond what is necessary to demonstrate them
Report findings to us before any public disclosure
If legal action is initiated by a third party against you for research conducted under this policy, we will make it known that your actions were authorized.
We believe in recognizing the efforts of security researchers who help us improve.
Hall of Fame: With your permission, we'll acknowledge your contribution on our security page
Reference letter: Upon request, we can provide a reference letter confirming your responsible disclosure
Note: We do not currently offer monetary rewards, but we deeply appreciate your contributions to keeping Huddle01 Cloud secure.
The following will disqualify a submission:
Violations of this policy
Disclosure of vulnerabilities before resolution
Submission of vulnerabilities already known to us
Submission from automated scanners without analysis or verification
Threatening or coercive behavior
If you have questions about this policy or want to check whether specific research is in scope, contact us at security@huddle01.cloud before beginning your research.
This policy is inspired by industry best practices and disclose.io standards.
Last updated: January 2026
