Responsible Disclosure
We appreciate your help in identifying and responsibly disclosing security vulnerabilities. This policy outlines how to report issues securely.
Scope
This policy covers vulnerabilities in:
- truthvouch.com (SaaS platform)
- api.truthvouch.com (APIs)
- All TruthVouch-controlled subdomains
- Official SDKs
Out of scope:
- Third-party services or infrastructure
- Social engineering (unless you’re testing our defenses)
- DDoS attacks
- Physical security
- Vulnerabilities requiring user interaction beyond normal use
Reporting Process
Step 1: Don’t Publicly Disclose
Please do NOT:
- Post the vulnerability on social media
- Report it in public GitHub issues
- Tell other customers
- Test the vulnerability repeatedly
Step 2: Report to Our Security Team
Send a detailed report to security@truthvouch.com with:
Subject: [SECURITY] Brief vulnerability description
Your Name:Your Email:Company:Phone (optional):
Vulnerability Title:[Concise description]
Vulnerability Type:[ ] SQL Injection[ ] Cross-Site Scripting (XSS)[ ] Cross-Site Request Forgery (CSRF)[ ] Authentication/Authorization[ ] Data Exposure[ ] Denial of Service[ ] Other: ___________
Severity Assessment:[ ] Critical (affects confidentiality/integrity of customer data)[ ] High (significant impact)[ ] Medium (moderate impact)[ ] Low (minimal impact)
Steps to Reproduce:1.2.3.
Expected Behavior:[Describe what should happen]
Actual Behavior:[Describe what actually happens]
Impact:[Explain the potential impact if exploited]
Proof of Concept:[Include screenshots, code snippets, or commands][Do not include real customer data]
Additional Notes:[Any other relevant information]Step 3: Encrypt Communication (Optional)
For maximum security, encrypt your email using our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----[PGP key here]-----END PGP PUBLIC KEY BLOCK-----Request at: security@truthvouch.com
Our Commitment
Upon receiving your report, we will:
- Acknowledge receipt within 24 hours
- Confirm vulnerability within 48 hours
- Provide timeline for fix and disclosure
- Share updates at least weekly
- Notify you when patch is deployed
- Request embargo period if needed (max 90 days from fix)
Response Times by Severity
| Severity | Acknowledgment | Investigation | Fix Target |
|---|---|---|---|
| Critical | 1 hour | 2 hours | 24 hours |
| High | 4 hours | 8 hours | 72 hours |
| Medium | 8 hours | 24 hours | 2 weeks |
| Low | 24 hours | 1 week | 30 days |
Eligibility for Rewards
You are eligible for a monetary reward if you:
- Discover a previously unknown vulnerability
- Report it before public disclosure
- Follow this responsible disclosure policy
- Don’t attempt to exploit vulnerabilities beyond testing
- Cooperate with our fix process
Ineligible issues:
- Vulnerabilities you didn’t discover (social engineering claims, etc.)
- Issues already known to us
- Issues outside scope
- Violations of this policy
Reward Guidelines
Rewards based on impact and severity:
| Severity | Typical Reward |
|---|---|
| Critical | $2,500 - $10,000 |
| High | $500 - $2,500 |
| Medium | $100 - $500 |
| Low | $50 - $100 |
Factors affecting reward:
- Clarity and completeness of report
- Difficulty of discovery
- Impact severity
- Business risk
- Cooperation with fix process
What Happens Next
After we fix the vulnerability:
- Patch Deployment (1-7 days after fix)
- Public Disclosure (14 days after patch, or per your request)
- Credit Assignment (in security advisory)
- Reward Processing (within 30 days of patch)
We will credit you in our security advisory unless you request anonymity.
Example Security Advisory
[Security Advisory SAE-2024-001]
Vulnerability: Improper Input Validation in Verification APICVSS Score: 7.5 (High)Affected Versions: < 2.4.0Fix Available: 2.4.0 (released Date)CVE: CVE-XXXX-XXXXX
Reported by: Jane Smith (jane@example.com)
Description:The verification API did not properly validate user input in the...
Impact:An unauthenticated attacker could...
Mitigation:1. Update to version 2.4.0 or later2. Enable request validation in dashboard3. Monitor for suspicious API activity
Timeline:- 2024-03-01: Vulnerability discovered and reported- 2024-03-02: Confirmed and started fix- 2024-03-04: Patch deployed to production- 2024-03-18: Public disclosure
Thanks:Special thanks to Jane Smith for responsible disclosure.Legal Considerations
Safe Harbor
We commit to not pursuing legal action against you if you:
- Act in good faith
- Follow this policy
- Don’t exploit vulnerabilities beyond testing
- Don’t access, modify, or delete data beyond testing
Data Handling
During testing, you may encounter customer data. You must:
- Not access more data than necessary to verify vulnerability
- Not store, copy, or retain any data
- Not use data for any purpose beyond vulnerability verification
- Confirm deletion of test data
Non-Disclosure Agreement
If you discover a critical vulnerability, we may ask you to sign an NDA:
- Covers vulnerability details until public disclosure
- Allows you to cooperate with us on fix
- Prevents competitor benefit from early knowledge
Questions?
- General questions: security@truthvouch.com
- Vulnerability reports: security@truthvouch.com
- Bug bounty payments: bounty@truthvouch.com
- Policy clarifications: legal@truthvouch.com
Recognition
We publicly recognize researchers who report vulnerabilities via our bug bounty program. Our Hall of Fame lists top researchers by year.
Thank you for helping us keep TruthVouch secure.