If you believe you have found a security vulnerability in Gloam, please report it to security@gloam.tv. We respond within two business days and aim to issue a fix or mitigation within thirty days for high-severity issues.
Please include a clear description of the issue, the steps required to reproduce it, and the impact you believe it has. If you have a proof of concept, attach it. Encrypt sensitive reports to the PGP key published at /.well-known/pgp-key.asc.
Do not exploit the vulnerability to access other users’ data, and do not publicly disclose it before we have had a reasonable window to fix it. We will credit you below unless you ask us not to.
In scope: the gloam.tv web application, the player at /player, the dashboard, the API surfaces under /api, and the authentication flow.
Out of scope: vulnerabilities in third-party services we depend on (report those to the upstream provider), social engineering of our staff, denial-of-service attacks against our hosting, and issues that require physical access to a user’s device.
We acknowledge receipt within two business days. We triage the report and assign a severity rating based on CVSS. We keep you informed of progress and notify you when a fix is shipped.
For high-severity issues, we publish a post-mortem on this page after the fix is deployed, describing what happened, what we changed, and what we learned, without naming the reporter unless they consent.
Gloam runs on Vercel (application hosting and edge delivery) with a managed PostgreSQL database and authentication from Supabase in the European Union (Frankfurt). Payment processing is handled by Stripe. Error monitoring is handled by Sentry.
The full list of sub-processors, with the purpose and location of each, is published at /legal/sub-processors.
All traffic to and from gloam.tv is served over HTTPS. We do not support plain HTTP. The PGP key for encrypted vulnerability reports is available at /.well-known/pgp-key.asc.
We are grateful to the researchers who report vulnerabilities responsibly. This section lists those who have helped us, with their permission, once a fix has been deployed.
No reports have been published yet. This section will be updated as reports are resolved.