SECURITYCoordinated disclosure · RFC 9116

Responsible
disclosure.

glomotec operates infrastructure for global mobility. We take the security of that infrastructure seriously and work with the research community to identify, verify, and remediate vulnerabilities responsibly.

This policy sets out what is in scope, how to report a vulnerability, what to expect from glomotec in response, and the safe harbour provided to good-faith researchers.

01 · Our commitment

Working with the research community.

glomotec welcomes good-faith security research that strengthens the platform on which our users, partners, and institutional customers rely. We commit to engaging constructively with researchers who follow this policy, to acknowledging legitimate reports promptly, and to remediating verified issues with appropriate urgency.

This policy applies across all glomotec infrastructure, products, services, and corporate properties operated by glomotec and its affiliates.

02 · Scope

Properties covered by this policy.

The following properties and surfaces are in scope for coordinated vulnerability disclosure.

In scope
  • glomotec.com and all subdomains, including www.glomotec.com
  • signal.glomotec.com, the SIGNAL qualification and intelligence layer
  • glomoteclabs.com and any redirect or DNS infrastructure operated by glomotec
  • Email and authentication infrastructure associated with glomotec.com mailboxes
  • API endpoints operated by glomotec and made available to authenticated users
  • Mobile and desktop applications published by glomotec, where applicable
Out of scope
  • Third-party services and providers used by glomotec, including Anthropic, Supabase, Vercel, Hostinger, Cloudflare, Twilio, and similar vendors. Issues in these services should be reported to the providers directly.
  • Social engineering of glomotec personnel or contractors.
  • Physical security testing of any glomotec premises.
  • Denial of service attacks, load testing, or stress testing.
  • Issues that require physical access to a user's device.
  • Reports of outdated software versions without a demonstrated, exploitable security impact.
  • Reports based solely on automated scanner output without independent validation.
03 · How to report

Reporting a vulnerability.

If you believe you have identified a security vulnerability in any in-scope property, please report it via one of the addresses below. Where practicable, encrypt sensitive information in transit.

Primary contact
security@glomotec.com
Alternative contact
ops@glomotec.com

The canonical machine-readable version of this contact information is published at /.well-known/security.txt in accordance with RFC 9116.

04 · Report contents

What to include in your report.

To help us triage and respond effectively, please include the following in your initial report.

  • A clear description of the vulnerability and the affected property or endpoint.
  • Step-by-step instructions to reproduce the issue, including any required preconditions.
  • The potential impact of the vulnerability, including what data or functionality could be affected.
  • Any proof-of-concept code, screenshots, or supporting evidence.
  • Your preferred contact method and whether you wish to be credited publicly.

We ask that you do not perform any testing that could disrupt service for other users, access or modify data that does not belong to you, or persist access beyond the minimum needed to demonstrate the issue.

05 · Response commitments

What you can expect from glomotec.

When you submit a report in line with this policy, we commit to the following response timeline.

Within 48 hours
Acknowledgement

Confirmation that your report has been received and assigned an internal tracking reference.

Within 7 days
Initial triage

An initial assessment of the report and confirmation of whether the issue is in scope, reproducible, and accepted for remediation.

Ongoing
Status updates

Regular updates on remediation progress, with a target resolution timeline communicated based on severity.

On resolution
Confirmation and recognition

Notification when the issue has been resolved and, with your consent, public acknowledgement in our security recognitions.

06 · Safe harbour

Legal protection for good-faith research.

glomotec will not initiate or support legal action against security researchers who:

  • Engage in research in good faith and in accordance with this policy.
  • Make a reasonable effort to avoid privacy violations, service disruption, and destruction of data.
  • Report identified vulnerabilities promptly and only to glomotec.
  • Do not publicly disclose details of the vulnerability before glomotec has had a reasonable opportunity to investigate and remediate.
Important

This safe harbour applies to research conducted within the scope defined in section 02. It does not authorise activity that violates applicable law, accesses or exfiltrates data that does not belong to the researcher, or impacts the availability of services for other users.

07 · Acknowledgements

Security researchers we have worked with.

glomotec recognises researchers who responsibly disclose vulnerabilities and help strengthen our infrastructure. With researcher consent, names and contributions are acknowledged here as the programme matures.

This section will be updated as the disclosure programme develops.

Last updated · 11 May 2026

Security is infrastructure. We treat it that way.

If you have identified a vulnerability or want to understand more about how glomotec protects the data and operations entrusted to it, we welcome the conversation.

Report a vulnerability Explore the Ecosystem