Vulnerability Disclosure Programme

1. Introduction

TrustSig welcomes feedback from security researchers and the general public to help improve the security of our products and services. If you believe you have discovered a vulnerability or other security issue in any of our in-scope assets, we want to hear from you.

2. Official Reporting Channel

Please report security issues by email to security@trustsig.eu.

A good report typically includes:

• A clear description of the vulnerability and its potential impact.
• Step-by-step instructions and/or a Proof of Concept to reproduce the issue.
• The affected component, URL, or endpoint.
• Any relevant screenshots, logs, or other evidence.
• Your suggested severity rating. Severity is determined using CVSS v4.0 (base metrics), via the official calculator: https://www.first.org/cvss/calculator/4.0.

3. Systems in Scope

The following assets and activities are explicitly in scope for this programme:

• TrustSig threat protection solution – bypassing our bot protection solution using automated API requests (bypasses using any kind of a browser engine are out of scope)
• trustsig.eu web application – Critical, High and Medium severity vulnerabilities affecting the trustsig.eu platform that serves our customers
• edge.trustsig.eu & api.trustsig.eu web endpoints
• demo.trustsig.eu – can be used for testing, avoiding production service interruptions

4. Out of Scope

Any asset, system, or activity not explicitly listed in “Systems in Scope” is out of scope. In particular, the following:

• Any customer-owned environments and platforms using TrustSig threat protection solutions
• Any test and demo (excluding demo.trustsig.eu for testing) environments
• Denial-of-Service (DoS/DDoS) attacks and any activity that could lead to disruption of service
• Social engineering attacks (including against TrustSig staff, customers, or partners)
• Attacks requiring Man-in-the-Middle (MITM) or physical access to a victim’s device
• SSL/TLS weak configuration issues without a demonstrable exploit
• SPF, DKIM, and DMARC or other email configuration issues
• Physical security of TrustSig offices and employees
• Previously known third-party vulnerable dependencies or libraries without a working, TrustSig-specific Proof of Concept. If issues affect a third-party library, external project, or another vendor, TrustSig reserves the right to forward the issue details to that party without prior notification to the researcher, while still crediting the researcher as the source of the report.

Reports on out-of-scope issues are still welcome – we are happy to receive them and will review them as a matter of good faith. However, please note that out-of-scope reports are not eligible for public credit or any bounty.

5. Rewards and Recognition

For in-scope findings that are reviewed, verified, and approved by TrustSig, we offer the following recognition and bounties:

5.1 Public credit

Verified researchers will be publicly credited on this same page. If several researchers contribute, credits will be maintained as a leaderboard.

5.2 Bounties

Bounty amounts are paid in EUR and are based on the confirmed severity (CVSS v4.0 base metrics):

• Critical: €500
• High: €250
• Medium: €100

As a young company we are still small, and we appreciate your understanding of the modest bounty amounts. Only the first reporter of a previously unknown, verified vulnerability qualifies for credit or a bounty.

6. Our Commitments

When you work with us under this policy, you can expect us to:

• Respond to your report promptly and work with you to understand and validate it.
• Strive to keep you informed about the progress of the vulnerability as it is processed.
• Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
• Extend Safe Harbour to your vulnerability research that is conducted in accordance with this policy.
• Credit you, where you wish to be credited, once a reported issue has been resolved.

7. Our Expectations

In participating in our vulnerability disclosure programme in good faith, we ask that you:

• Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.
• Report any vulnerability you have discovered promptly.
• Avoid violating the privacy of others, disrupting our systems, destroying data, or harming the user experience.
• Use only the Official Reporting Channel to discuss vulnerability information with us.
• If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required to effectively demonstrate a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data such as Personally Identifiable Information (PII) or any other non-public/confidential data.
• Only interact with accounts you own.
• Not engage in extortion.

8. Public Disclosure

Researchers are asked to allow at least 90 days from the initial report before any public disclosure of the vulnerability. If more time is needed, we will communicate with you and agree on a revised timeline. Public disclosure should not include sensitive details that could enable exploitation before a fix is deployed.

9. Safe Harbour

When conducting vulnerability research in accordance with this policy, we consider such research to be:

• Authorised with respect to any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy.
• Authorised with respect to any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
• Exempt from restrictions in our Terms of Service (ToS) that would interfere with conducting security research, and we waive those restrictions on a limited basis.
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable regulations and laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our Official Reporting Channel before going any further.