Responsible Disclosure Policy
Last updated: 17 July 2026 · Version 2.0
1. Commitment
TruSecure welcomes reports of security vulnerabilities affecting trusecure.co, Resilience Fabric, TruSecure-owned repositories and related infrastructure. TruSecure commits to engage in good faith with researchers who submit reports under this Policy.
2. How to report
Send your report to security@trusecure.co.
Please note: email submitted over TLS is not end-to-end encrypted. Do not include specially protected categories of personal data (within the meaning of GDPR Art. 9) or credentials within the report. Strip metadata from attachments before sending.
Reports may also be submitted through the contact form on trusecure.co, which is served over TLS. Submission by telephone to the security team is possible by prior arrangement through the same email address.
Please include:
- a clear description of the vulnerability and its impact;
- reproducible steps and proof-of-concept where appropriate;
- the URL, system or asset affected;
- your name and contact details if you wish to be credited.
3. What TruSecure will do
- Acknowledge your report within 3 business days.
- Provide an initial assessment within 10 business days.
- Provide updates on substantive findings at intervals not exceeding 30 days.
- After remediation, publish a security advisory crediting the reporter unless the reporter requests otherwise.
4. What researchers should not do
While researching a vulnerability:
- do not access, modify, retain or transfer data beyond what is necessary to demonstrate the vulnerability;
- do not degrade the service, disrupt users or saturate bandwidth;
- do not use social engineering against TruSecure staff, customers or partners;
- do not exploit the vulnerability beyond what is necessary to confirm it;
- do not publicly disclose the vulnerability before TruSecure has confirmed remediation or before an agreed disclosure date.
5. Safe harbour
TruSecure will not pursue civil or criminal action against you, and will not refer you to law enforcement, for activity performed in compliance with this Policy. Such activity is considered "authorised" under Directive 2013/40/EU on attacks against information systems, and analogous national laws including Romanian Law 64/1996 on information technology.
If a third party (such as a law-enforcement agency) takes action against you in connection with activity performed in compliance with this Policy, TruSecure will make this Policy available to the relevant authority.
This safe harbour does not apply to conduct that is wilful, malicious, harmful, or that violates applicable law even where it also complies with this Policy.
6. Scope
| In scope | Out of scope |
|---|---|
| trusecure.co and subdomains | Third-party services that TruSecure links to but does not operate |
| Resilience Fabric production | Social-engineering of TruSecure staff or contractors |
| TruSecure-owned repositories | Physical attacks against TruSecure premises |
| Public APIs operated by TruSecure | Denial-of-service testing |
| Spam or phishing capability reports against the TruSecure brand |
7. Recognition
A security acknowledgements page is published under the same /security/ path. Reporters are recognised there with their consent.
8. Coordinated disclosure timeline
TruSecure aims to confirm a remediation date within 90 days of a confirmed critical vulnerability and to publish an advisory within 90 days unless a longer period is justified by the complexity of the fix.
