Vulnerability Disclosure Program

Participation in the programme is a voluntary initiative. By participating in the programme, you agree to be bound by the terms specified in this programme. If you do not wish to, or cannot comply with these terms, you cannot participate in the programme.

You must meet the following criteria to be eligible to participate:

• You must be either the legal age of majority in your country or at least 15 years of age with permission from your legal guardian that you may participate in the programme;
• When acting as a participant, you are not violating any other agreement to which you may be a party - we are not liable for any breach of such third party agreement by you;
• You are not listed under or resident in a country that is under a US, Switzerland, European Union, or United Nations embargo or sanctions list;
• You are not an employee, contractor, representative, or a family member of a TRUSTSTRIKE LABS employee, contractor, or representative.

Researchers are encouraged to test the following assets. Please ensure the asset is actually owned and operated by TRUSTSTRIKE LABS before testing.

The following categories are strictly excluded from the program. Any testing in these areas may result in immediate disqualification and possible legal action.

• Security issues/best practices that can’t be exploited with real impact;
• Social engineering TRUSTSTRIKE LABS employees, contractors, or customers;
• Denial of Service (DoS) attacks;
• Email Spoofing;
• Missing HTTP security headers, unless accompanied by a detailed proof of concept exploit that leverages their absence;
• Use of a library with known vulnerabilities (without evidence of further exploitation);
• Reports of insecure SSL/TLS ciphers or weak signature algorithms, unless accompanied by a working proof of concept of an exploit.

If you follow our policies and act in good faith, we commit to not pursuing legal action and will work with you to understand and resolve the issue quickly.