Security and responsible disclosure

At Intergrid (Opengea SCCL) we take the security of our services and the protection of our clients' data seriously. We are grateful to the community of researchers who help us improve by responsibly disclosing any vulnerabilities they find.

1. How to report a vulnerability

If you have found a possible security vulnerability, write to us at sistemes@intergrid.cat. To help us reproduce and resolve the issue, please include if you can:

  • A clear description of the vulnerability and its potential impact.
  • The steps to reproduce it (affected URL or endpoint, parameters, example requests).
  • Any proof of concept, screenshot or log that illustrates it.

We will acknowledge receipt of your report within 5 business days and keep you informed of the resolution status.

2. Commitment to good-faith research (safe harbor)

If you research in good faith and respect this policy, we will not take legal action against you. To qualify, you must:

  • Not access, modify or download data that is not yours beyond the minimum necessary to demonstrate the vulnerability.
  • Not degrade the service: no denial-of-service (DoS) attacks, mass brute force or large-scale request flooding.
  • Not publicly disclose the issue until we have fixed it and agree on it together (coordinated disclosure).
  • Delete any data you may have accessed once you have sent us the report.

This protection does not cover actions that harm our users, violate their privacy or break applicable law.

3. Out of scope

We generally do not consider within the scope of this policy:

  • Purely theoretical reports, without demonstrable security impact.
  • Vulnerabilities in third-party services that we do not control.
  • Social engineering attacks against our staff or clients.
  • Physical attacks against our facilities or equipment.

4. Coordinated disclosure

We work to resolve reported vulnerabilities with the utmost diligence. We ask you to give us a reasonable amount of time to fix the issue before making it public, and we commit to keeping you informed and coordinating the disclosure timing with you.

5. Recognition

We are a small non-profit organization and do not have a formal monetary reward program. Even so, we greatly value responsible disclosure and, depending on the case, we offer:

  • Public acknowledgment on this page (if the person wishes).
  • A reference letter about the finding and the responsible conduct.
  • A symbolic token of appreciation, depending on the severity and on our means as a non-profit entity.

We want to thank everyone who has helped us make our services more secure.

Acknowledged researchers:

  • b4d1t — responsible disclosure of an SQL injection vulnerability · 05/2026

Security contact

Email: sistemes@intergrid.cat

security.txt

Last update: 02/06/2026