Security Policy

Effective Date: January 2026

Gray Matter takes security seriously. We welcome responsible disclosure of security vulnerabilities from security researchers and the broader community.

Scope

This policy applies to:

  • graymatter.ch and all subdomains
  • Any Gray Matter-operated web applications
  • Our public-facing infrastructure

Out of Scope

The following are explicitly out of scope:

  • Social engineering attacks against Gray Matter staff
  • Physical security testing
  • Denial of Service (DoS/DDoS) attacks
  • Third-party services we use (report directly to those vendors)
  • Vulnerabilities requiring physical access to a device
  • Automated vulnerability scanning without prior coordination

How to Report

Send your findings to:

Email: security@graymatter.ch

Please include:

  1. Description of the vulnerability
  2. Steps to reproduce (detailed, step-by-step)
  3. Potential impact assessment
  4. Proof of concept (screenshots, logs, or code)
  5. Your contact information for follow-up

Encryption

For sensitive reports, you may encrypt your message using our PGP key (available upon request).

What to Expect

TimelineAction
48 hoursInitial acknowledgment of your report
7 daysPreliminary assessment and severity classification
30 daysTarget resolution for critical/high severity issues
90 daysTarget resolution for medium/low severity issues

We will keep you informed throughout the process and notify you when the issue is resolved.

Safe Harbor

We support responsible security research. If you act in good faith and follow this policy:

  • We will not pursue legal action against you
  • We will not report your activities to law enforcement
  • We will work with you to understand and resolve the issue

Good faith includes:

  • Avoiding privacy violations (do not access or modify data belonging to others)
  • Avoiding disruption to our services
  • Not exploiting vulnerabilities beyond what is necessary to demonstrate the issue
  • Reporting vulnerabilities promptly and not disclosing publicly until resolved
  • Not using vulnerabilities for personal gain beyond recognition

Recognition

We do not currently offer a paid bug bounty program. However, we are happy to:

  • Acknowledge your contribution publicly (with your permission)
  • Provide a reference letter upon request
  • Add you to our security acknowledgments page (if created)

Cryptographic Standards

This website implements modern cryptographic protections:

  • Transport Security: TLS 1.3 with AES-256-GCM cipher suite
  • Post-Quantum Hybrid: X25519MLKEM768 key exchange provides protection against future quantum computer attacks
  • Certificate Transparency: All certificates logged to public CT logs
  • HSTS Preload: HTTP Strict Transport Security with preload list inclusion

This policy does not create any legal obligation on behalf of Gray Matter. We reserve the right to modify this policy at any time. Participation in this program does not grant you any rights beyond those explicitly stated here.

Contact

Security Reports: security@graymatter.ch

General Inquiries: hello@graymatter.ch

This policy follows industry best practices for responsible vulnerability disclosure, including guidance from ISO 29147 and the CERT Guide to Coordinated Vulnerability Disclosure.

Get Started

Ready to Transform Your Architecture?

Whether you need a Zero Trust assessment, an AI governance architecture, guidance on agentic coding adoption, or help selecting the right technology - let's discuss your specific situation. Direct conversation with the architect who does the work.

Schedule a Conversation
00 +

Years Experience

From assessment through architecture to implementation

0

Industries

Logistics, Transportation, Finance, Public Sector

000 %

Technology Advisory

Recommendations grounded in architectural fit, integration needs, and your operating model.