TruSecure Logo
LEGAL

Responsible Disclosure Policy

Last updated: 17 July 2026 · Version 2.0

1. Commitment

TruSecure welcomes reports of security vulnerabilities affecting trusecure.co, Resilience Fabric, TruSecure-owned repositories and related infrastructure. TruSecure commits to engage in good faith with researchers who submit reports under this Policy.

2. How to report

Send your report to security@trusecure.co.

Please note: email submitted over TLS is not end-to-end encrypted. Do not include specially protected categories of personal data (within the meaning of GDPR Art. 9) or credentials within the report. Strip metadata from attachments before sending.

Reports may also be submitted through the contact form on trusecure.co, which is served over TLS. Submission by telephone to the security team is possible by prior arrangement through the same email address.

Please include:

  • a clear description of the vulnerability and its impact;
  • reproducible steps and proof-of-concept where appropriate;
  • the URL, system or asset affected;
  • your name and contact details if you wish to be credited.

3. What TruSecure will do

  • Acknowledge your report within 3 business days.
  • Provide an initial assessment within 10 business days.
  • Provide updates on substantive findings at intervals not exceeding 30 days.
  • After remediation, publish a security advisory crediting the reporter unless the reporter requests otherwise.

4. What researchers should not do

While researching a vulnerability:

  • do not access, modify, retain or transfer data beyond what is necessary to demonstrate the vulnerability;
  • do not degrade the service, disrupt users or saturate bandwidth;
  • do not use social engineering against TruSecure staff, customers or partners;
  • do not exploit the vulnerability beyond what is necessary to confirm it;
  • do not publicly disclose the vulnerability before TruSecure has confirmed remediation or before an agreed disclosure date.

5. Safe harbour

TruSecure will not pursue civil or criminal action against you, and will not refer you to law enforcement, for activity performed in compliance with this Policy. Such activity is considered "authorised" under Directive 2013/40/EU on attacks against information systems, and analogous national laws including Romanian Law 64/1996 on information technology.

If a third party (such as a law-enforcement agency) takes action against you in connection with activity performed in compliance with this Policy, TruSecure will make this Policy available to the relevant authority.

This safe harbour does not apply to conduct that is wilful, malicious, harmful, or that violates applicable law even where it also complies with this Policy.

6. Scope

In scopeOut of scope
trusecure.co and subdomainsThird-party services that TruSecure links to but does not operate
Resilience Fabric productionSocial-engineering of TruSecure staff or contractors
TruSecure-owned repositoriesPhysical attacks against TruSecure premises
Public APIs operated by TruSecureDenial-of-service testing
Spam or phishing capability reports against the TruSecure brand

7. Recognition

A security acknowledgements page is published under the same /security/ path. Reporters are recognised there with their consent.

8. Coordinated disclosure timeline

TruSecure aims to confirm a remediation date within 90 days of a confirmed critical vulnerability and to publish an advisory within 90 days unless a longer period is justified by the complexity of the fix.