Responsible Disclosure
We appreciate your help in identifying and responsibly disclosing security vulnerabilities. This policy outlines how to report issues securely.
Scope
This policy covers vulnerabilities in:
- truthvouch.com (SaaS platform)
- api.truthvouch.com (APIs)
- All TruthVouch-controlled subdomains
- Official SDKs
Out of scope:
- Third-party services or infrastructure
- Social engineering (unless you’re testing our defenses)
- DDoS attacks
- Physical security
- Vulnerabilities requiring user interaction beyond normal use
Reporting Process
Step 1: Don’t Publicly Disclose
Please do NOT:
- Post the vulnerability on social media
- Report it in public GitHub issues
- Tell other customers
- Test the vulnerability repeatedly
Step 2: Report to Our Security Team
Send a detailed report to [email protected] with:
Subject: [SECURITY] Brief vulnerability description
Your Name:Your Email:Company:Phone (optional):
Vulnerability Title:[Concise description]
Vulnerability Type:[ ] SQL Injection[ ] Cross-Site Scripting (XSS)[ ] Cross-Site Request Forgery (CSRF)[ ] Authentication/Authorization[ ] Data Exposure[ ] Denial of Service[ ] Other: ___________
Severity Assessment:[ ] Critical (affects confidentiality/integrity of customer data)[ ] High (significant impact)[ ] Medium (moderate impact)[ ] Low (minimal impact)
Steps to Reproduce:1.2.3.
Expected Behavior:[Describe what should happen]
Actual Behavior:[Describe what actually happens]
Impact:[Explain the potential impact if exploited]
Proof of Concept:[Include screenshots, code snippets, or commands][Do not include real customer data]
Additional Notes:[Any other relevant information]Step 3: Encrypt Communication (Optional)
For maximum security, encrypt your email using our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----[PGP key here]-----END PGP PUBLIC KEY BLOCK-----Request at: [email protected]
Our Commitment
Upon receiving your report, we will:
- Acknowledge receipt within 24 hours
- Confirm vulnerability within 48 hours
- Provide timeline for fix and disclosure
- Share updates at least weekly
- Notify you when patch is deployed
- Request embargo period if needed (max 90 days from fix)
Response Times by Severity
| Severity | Acknowledgment | Investigation | Fix Target |
|---|---|---|---|
| Critical | 1 hour | 2 hours | 24 hours |
| High | 4 hours | 8 hours | 72 hours |
| Medium | 8 hours | 24 hours | 2 weeks |
| Low | 24 hours | 1 week | 30 days |
Eligibility for Rewards
You are eligible for a monetary reward if you:
- Discover a previously unknown vulnerability
- Report it before public disclosure
- Follow this responsible disclosure policy
- Don’t attempt to exploit vulnerabilities beyond testing
- Cooperate with our fix process
Ineligible issues:
- Vulnerabilities you didn’t discover (social engineering claims, etc.)
- Issues already known to us
- Issues outside scope
- Violations of this policy
Reward Guidelines
Rewards based on impact and severity:
| Severity | Typical Reward |
|---|---|
| Critical | $2,500 - $10,000 |
| High | $500 - $2,500 |
| Medium | $100 - $500 |
| Low | $50 - $100 |
Factors affecting reward:
- Clarity and completeness of report
- Difficulty of discovery
- Impact severity
- Business risk
- Cooperation with fix process
What Happens Next
After we fix the vulnerability:
- Patch Deployment (1-7 days after fix)
- Public Disclosure (14 days after patch, or per your request)
- Credit Assignment (in security advisory)
- Reward Processing (within 30 days of patch)
We will credit you in our security advisory unless you request anonymity.
Example Security Advisory
[Security Advisory SAE-2024-001]
Vulnerability: Improper Input Validation in Verification APICVSS Score: 7.5 (High)Affected Versions: < 2.4.0Fix Available: 2.4.0 (released Date)CVE: CVE-XXXX-XXXXX
Reported by: Jane Smith ([email protected])
Description:The verification API did not properly validate user input in the...
Impact:An unauthenticated attacker could...
Mitigation:1. Update to version 2.4.0 or later2. Enable request validation in dashboard3. Monitor for suspicious API activity
Timeline:- 2024-03-01: Vulnerability discovered and reported- 2024-03-02: Confirmed and started fix- 2024-03-04: Patch deployed to production- 2024-03-18: Public disclosure
Thanks:Special thanks to Jane Smith for responsible disclosure.Legal Considerations
Safe Harbor
We commit to not pursuing legal action against you if you:
- Act in good faith
- Follow this policy
- Don’t exploit vulnerabilities beyond testing
- Don’t access, modify, or delete data beyond testing
Data Handling
During testing, you may encounter customer data. You must:
- Not access more data than necessary to verify vulnerability
- Not store, copy, or retain any data
- Not use data for any purpose beyond vulnerability verification
- Confirm deletion of test data
Non-Disclosure Agreement
If you discover a critical vulnerability, we may ask you to sign an NDA:
- Covers vulnerability details until public disclosure
- Allows you to cooperate with us on fix
- Prevents competitor benefit from early knowledge
Questions?
- General questions: [email protected]
- Vulnerability reports: [email protected]
- Bug bounty payments: [email protected]
- Policy clarifications: [email protected]
Recognition
We publicly recognize researchers who report vulnerabilities via our bug bounty program. Our Hall of Fame lists top researchers by year.
Thank you for helping us keep TruthVouch secure.