Security at TrustFix
We take security seriously. If you discover a vulnerability, we want to hear from you.
Our Commitment
As a security company, we hold ourselves to the highest standards. We appreciate the security research community and believe in working collaboratively to identify and fix vulnerabilities.
Reporting a Vulnerability
Please report security vulnerabilities via email:
security@trustfix.devWe will acknowledge receipt within 24 hours.
What to Include
- Description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Any proof-of-concept code or screenshots
- Your recommended fix, if any
- Your name/handle for acknowledgment (optional)
Our Process
Acknowledge
We acknowledge your report within 24 hours.
Investigate
We investigate and validate the report within 7 days.
Fix
We develop and deploy a fix within 30 days (critical issues faster).
Disclose
We coordinate public disclosure after the fix is deployed.
Disclosure Timeline
We follow a 90-day disclosure timeline, consistent with industry standards (Google Project Zero). If a fix requires more time, we will communicate openly about the timeline.
Recognition
We believe in recognizing security researchers who help us improve. With your permission, we will credit you in our security acknowledgments. We currently offer recognition and gratitude; a formal bug bounty program will be announced as we scale.
Out of Scope
- Social engineering attacks against TrustFix employees
- Physical security of TrustFix offices or data centers
- Denial of service attacks
- Issues in third-party services we use
- Issues already known to us or in active remediation
Safe Harbor
We will not take legal action against researchers who discover and report vulnerabilities in good faith, following this policy. We ask that you:
- Do not access or modify other users' data
- Do not perform actions that could harm the service or its users
- Give us reasonable time to fix issues before public disclosure