TrustStrike Labs / Trust / Vulnerability Disclosure

Vulnerability Disclosure Program

We work with the security community to keep our customers safe. This document defines what is in scope, what is not, and how we respond when you tell us about a vulnerability.

1Safe harbor

We believe good-faith security research benefits everyone. If you follow this policy, we will not pursue legal action against you, and we will work with you to understand and resolve the issue.

If you act in good faith, stay within the stated scope, and make a reasonable effort to avoid privacy violations, data destruction, or service disruption, we consider your research to be authorised under this policy.

2Response times

We commit to the following response times once a valid report is received at the contact address below.

StageTargetWhat we deliver
AcknowledgementWithin 24 hoursA human reply confirming receipt.
Initial triageWithin 72 hoursSeverity rating and a tracking reference.

3Eligibility

Participation in this programme is voluntary. By submitting a report, you confirm all of the following.

  • You are of legal age of majority in your country, or at least 15 years of age with legal guardian permission.
  • Your participation does not violate any other agreement you are party to. We are not liable for any such breach.
  • You are not resident in, or listed under, any US, Swiss, EU, or UN embargo or sanctions list.
  • You are not a TrustStrike Labs employee, contractor, representative, or an immediate family member of one.

4Scope

The following asset is in scope. Please verify that the target is owned and operated by TrustStrike Labs before testing.

AssetTypeEnvironment
*.truststrikelabs.comWeb applications and infrastructureProduction

5Out of scope

The following categories are excluded from the programme. Testing in these areas may result in disqualification and, where appropriate, legal action.

  • Theoretical issues or best-practice observations without demonstrable real-world impact.
  • Social engineering of TrustStrike Labs employees, contractors, or customers.
  • Denial of Service (DoS) attacks of any kind.
  • Email spoofing.
  • Missing HTTP security headers, unless accompanied by a working proof of concept that exploits their absence.
  • Use of a library with known CVEs, without evidence of further exploitation on our infrastructure.
  • Reports of insecure SSL/TLS ciphers or weak signature algorithms, unless accompanied by a working exploit.

6Submitting a report

Send a detailed report to the contact address below. Please include the sections listed; complete reports are triaged significantly faster.

Your report should contain the following.

  1. DescriptionA high-level summary of the vulnerability and the affected component.
  2. Steps to reproduceClear, numbered, copy-pasteable steps that trigger the issue.
  3. Proof of conceptScreenshots, payloads, request/response pairs, or a short video.
  4. ImpactWhat an attacker could realistically achieve by exploiting this.
  5. Remediation (optional)A suggested fix, if you have one.

7Recognition

This programme does not offer monetary bounties at this time. We recognise valid reports through our public Hall of Fame, with your chosen name, handle, or affiliation, once the issue is fully remediated and you have approved public disclosure.