Responsible disclosure
Report a security finding
Found something in our defense engine, web app, or infrastructure? Submit below. We acknowledge within 72 hours and operate a 90-day coordinated disclosure window. Researchers acting in good faith will not face legal action.
In scope
gladiuscrm.comproduction web app + APIs- Defense engine (
GladiusDefense) bypasses - Sentinel benchmark scenario quality issues
- Mobile PWA (
gladiusbdc.com/onyx/mobile) - OAuth / SSO flows on any vertical
- Privilege escalation, IDOR, tenant isolation breaches
Out of scope
- Social engineering of Gladius employees or contractors
- Physical attacks against Gladius offices or staff
- Denial-of-service against production
- Findings already in our public CVE log or staging-only issues
- Reports without reproduction steps
Prefer email? Send directly to security@gladiuscrm.com. PGP key fingerprint posted at /security (when published).
Bounty program: planned Q4 2026. Researchers who report valid findings before the program launches will be retroactively eligible for the announced bounty tier matching their finding.