Vulnerability Reporting Policy

Truple is a leading provider of accountability software for your desktops, laptops, and mobile devices. We are committed to the protection of the data we handle.

We acknowledge the valuable role that independent security researchers play in internet security. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. We are committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us.

Please review these terms before you test or report a vulnerability. Truple pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to this policy.

To report security or privacy issues that affect Truple products or web servers, please contact: vulnerabilityreporting@truple.io. You can submit information securely by using our PGP key: https://files.truple.io/0x0305161316BBF21C.asc.

All vulnerability submissions must adhere to the following guidelines:

• Notify us as soon as possible after you discover a real or potential security issue.
• Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Do not modify or access data that does not belong to you.
• Do not compromise the safety of our services or expose others to an unsafe condition.
• Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not intentionally compromise the intellectual property or other commercial or financial interests of any Truple personnel or entities, or any third parties.
• Once you’ve established that a vulnerability exists or encounter any sensitive data, you must stop your test, notify us immediately, and not disclose this data to anyone else.
• Security research is limited to Truple applications, programs, and websites

For the protection of our customers, Truple generally does not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are available.

While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:

• Performing actions that may negatively affect Truple or its users.
• Accessing, or attempting to access, data or information that does not belong to you.
• Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
• Conducting any kind of physical or electronic attack on Truple personnel, property, or data centers.
• Violating any laws or breaching any agreements in order to discover vulnerabilities.

The following test types are not authorized:

• Network denial of service (DoS or DDoS) tests.
• Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.
• Theoretical vulnerabilities.
• Informational disclosure of non-sensitive data.
• Low impact session management issues.
• Self XSS (user defined payload).

We ask that you do not share or publicize an unresolved vulnerability with third parties. If you responsibly submit a vulnerability report, we will use reasonable efforts to:

• Respond in a timely manner, acknowledging receipt of your vulnerability report.
• Provide an estimated time frame for addressing the vulnerability report.
• Notify you when the vulnerability has been fixed.

We greatly appreciate the good-faith efforts of security researchers to help us at Truple make our services more secure.