Responsible Disclosure Policy

At TrustMind, we take the security of our platform and the data entrusted to us seriously. We value the work of security researchers who help us maintain the safety and privacy of our users. If you believe you have found a security vulnerability, we encourage you to report it to us responsibly.

Scope

This policy applies to vulnerabilities found in:

  • trustmind.com and its subdomains
  • TrustMind API endpoints

How to Report

Please send your findings to [email protected]. Include as much detail as possible:

  • A description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • The affected URL, parameter, or component
  • Any proof-of-concept code or screenshots

What to Expect

  • Acknowledgment: You will receive an automated acknowledgment upon receipt of your report.
  • Response: We will provide a substantive response within 3 business days, including our assessment and expected timeline for remediation.
  • Updates: We will keep you informed of our progress toward resolving the issue.

Disclosure Timeline

We ask that you give us a reasonable amount of time to address the vulnerability before disclosing it publicly. We request a minimum of 90 days from the date of your report before any public disclosure.

Safe Harbor

We will not pursue legal action against security researchers who discover and report vulnerabilities in good faith and in accordance with this policy. We consider security research conducted under this policy to be authorized and will not initiate legal action for accidental, good-faith violations.

To qualify for safe harbor, researchers must:

  • Avoid actions that could harm TrustMind, our users, or our services
  • Not access, modify, or delete data belonging to other users
  • Stop testing and report the issue immediately upon discovering a vulnerability that exposes user data
  • Not disclose the vulnerability publicly until we have had a reasonable opportunity to address it

Out of Scope

The following are not considered security vulnerabilities under this policy:

  • Social engineering attacks (e.g., phishing)
  • Denial of service (DoS/DDoS) attacks
  • Spam or bulk messaging
  • Non-security bugs (please report these to [email protected])
  • Issues in third-party services or applications
  • Vulnerabilities requiring physical access to a user's device

Recognition

We appreciate the efforts of security researchers who help keep TrustMind secure. While we do not offer a paid bug bounty program at this time, we are happy to publicly acknowledge researchers who responsibly disclose valid vulnerabilities (with their permission).

Contact

For security-related reports, please contact us at [email protected].