GridDown by BlackDot Technology
Last updated: January 2025
BlackDot Technology takes security seriously. GridDown is designed with a security-first mindset:
- Offline-first architecture minimizes attack surface
- No user accounts means no credentials to steal
- Local data storage keeps your information on your device
- No cloud backend eliminates server-side vulnerabilities
- Open source enables community security review
We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 6.x.x (current) | ✅ Yes |
| 5.x.x | |
| < 5.0 | ❌ No |
Recommendation: Always use the latest version for the best security.
If you discover a security vulnerability in GridDown, please report it responsibly:
Email: security@blackdot.tech
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any proof-of-concept code (if applicable)
- Your suggested fix (optional but appreciated)
PGP Key (optional): Available at https://blackdot.tech/.well-known/security.txt
- ❌ Do not publicly disclose the vulnerability before we've addressed it
- ❌ Do not exploit the vulnerability beyond what's necessary to demonstrate it
- ❌ Do not access, modify, or delete other users' data
- ❌ Do not perform denial of service attacks
| Stage | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Status update | Every 14 days until resolved |
| Fix development | Depends on severity (see below) |
| Public disclosure | After fix is released |
| Severity | Description | Target Fix Time |
|---|---|---|
| Critical | Remote code execution, data exfiltration | 24-72 hours |
| High | Authentication bypass, significant data exposure | 7 days |
| Medium | Limited data exposure, denial of service | 30 days |
| Low | Minor issues, hardening improvements | Next release |
We support responsible security research. If you:
- Act in good faith
- Avoid privacy violations
- Avoid data destruction
- Report vulnerabilities promptly
- Allow reasonable time for fixes
We will:
- ✅ Not pursue legal action against you
- ✅ Work with you to understand and resolve the issue
- ✅ Credit you in security advisories (if desired)
- ✅ Keep you informed of our progress
The following are within the scope of our security policy:
| Component | Examples |
|---|---|
| Web Application | XSS, CSRF, injection vulnerabilities |
| Data Storage | IndexedDB security, localStorage handling |
| External Connections | API security, WebSocket handling |
| Hardware Integrations | Bluetooth/Serial security |
| Cryptography | Encryption implementation in plan sharing |
| Service Worker | Cache poisoning, update integrity |
| Dependencies | Vulnerabilities in third-party libraries |
The following are outside our security scope:
| Item | Reason |
|---|---|
| Third-party APIs (OSM, USGS, etc.) | Report to respective providers |
| User's device security | Outside our control |
| Physical access attacks | Requires device access |
| Social engineering | User education issue |
| Browser vulnerabilities | Report to browser vendor |
| Self-hosted instances | User's responsibility |
| RF Sentinel hardware | Separate project |
| Data Type | Storage | Protection |
|---|---|---|
| Waypoints, routes | IndexedDB | Browser sandboxing |
| Settings | localStorage | Browser sandboxing |
| Offline tiles | Cache API | Browser sandboxing |
| Exported plans | User's filesystem | Optional AES-256-GCM encryption |
| SSTV images | IndexedDB | Browser sandboxing |
| Connection | Protocol | Security |
|---|---|---|
| Map tiles | HTTPS | TLS encryption |
| Weather API | HTTPS | TLS encryption |
| AirNow API | HTTPS | TLS encryption + API key |
| WebSocket (RF Sentinel) | WSS/WS | TLS when available |
| Bluetooth | BLE | Device pairing |
| Web Serial | USB | Physical connection |
GridDown does not transmit any data to BlackDot Technology servers. We have:
- No analytics
- No telemetry
- No crash reporting
- No user accounts
- No cloud sync
- No backend servers
- Risk: Browser storage can be cleared by user or browser
- Mitigation: Regular data export recommended
- User Action: Export important data periodically
- Risk: Map tiles and weather data come from external sources
- Mitigation: Use HTTPS, validate responses
- User Action: Verify critical data through official sources
- Risk: Malicious devices could send unexpected data
- Mitigation: Input validation, connection to known devices only
- User Action: Only connect trusted devices
- Risk: Cached tiles could theoretically be tampered with
- Mitigation: Tiles from HTTPS sources, browser cache isolation
- User Action: Re-download tiles if integrity is questionable
- Risk: Installing PWA grants offline capability
- Mitigation: Service worker validates cached resources
- User Action: Install only from trusted sources
- Risk: Weak passphrase could be brute-forced
- Mitigation: AES-256-GCM encryption, PBKDF2 key derivation
- User Action: Use strong passphrases for sensitive plans
- Keep GridDown updated - Install new versions promptly
- Use HTTPS - Always access GridDown via HTTPS
- Secure your device - Use screen lock, encryption
- Regular exports - Backup important data
- Verify GPS accuracy - Cross-check critical positions
- Use strong passphrases - For encrypted plan exports
- Clear data when needed - Browser settings → Clear site data
- Audit permissions - Review granted device permissions
- Trust your devices - Only connect known hardware
- Secure your network - For RF Sentinel WebSocket connections
- Physical security - Protect connected devices
Security updates are distributed through:
- Version updates - Install latest version
- Service worker - Automatic background updates
- Security advisories - Posted in CHANGELOG.md
- Critical alerts - Email to registered contacts (if opted in)
To verify you have an authentic GridDown release:
- Download only from official sources
- Check version number in Settings → About
- Verify service worker version matches release
| Date | Version | Severity | Description | Status |
|---|---|---|---|---|
| - | - | - | No vulnerabilities disclosed yet | - |
We will document disclosed vulnerabilities here after fixes are released.
We do not currently offer a paid bug bounty program. However, we:
- ✅ Acknowledge security researchers in release notes
- ✅ Provide letters of appreciation for significant findings
- ✅ May offer GridDown merchandise for exceptional reports
Email: security@blackdot.tech
Response Time: Within 48 hours
Encryption: PGP key available at https://blackdot.tech/.well-known/security.txt
Alternative Contact: legal@blackdot.tech (if security@ is unresponsive)
- Privacy Policy - Data handling practices
- Terms of Service - Usage terms
- Disclaimer - Safety information
- License - Software licensing
Thank you for helping keep GridDown secure!
© 2025 BlackDot Technology. All Rights Reserved.