We welcome good-faith security reports about TrustCheck. This policy explains how researchers can report vulnerabilities safely.
1. Scope
In-scope systems include TrustCheck-owned web applications, public APIs, badge verification endpoints, and authentication workflows. Customer assets, third-party integrations, payment providers, and social platforms are out of scope unless we explicitly authorize testing.
2. Safe Harbor Expectations
- Do not access, modify, delete, or exfiltrate data that is not yours.
- Do not perform denial-of-service, spam, phishing, malware, credential stuffing, or destructive testing.
- Stop testing and report immediately if you encounter sensitive data.
- Give TrustCheck reasonable time to investigate before public disclosure.
- Use test accounts you own and avoid disrupting other users.
3. How To Report
Email reports to support@trustcheck.io with the subject "Security Disclosure". Include affected URL, steps to reproduce, impact, screenshots or proof-of-concept, and your contact details.
4. What Happens Next
We aim to acknowledge reports promptly, triage severity, investigate, remediate where appropriate, and coordinate disclosure. We do not currently guarantee bounty payments unless a separate written program says otherwise.