Trust & Will Responsible Disclosure Policy

Also Known As 'Vulnerability Disclosure Policy'

Trust & Will’s Security Team is committed to protecting our users and their data. We believe the independent security research community is a key contributor to the security of the Internet and we gladly welcome (and appreciate!) reports of potential security issues.

This policy provides guidelines for security researchers to conduct ethical research and coordinate disclosure of security vulnerabilities to Trust & Will.

We have developed this policy to reflect our values and showcase that we genuinely respect security researchers who share their expertise with us. We encourage security researchers to report potential security vulnerabilities they’ve discovered so we can fix them and continue to protect our customers and employees.

This program is hosted on HackerOne and is only for the coordinated disclosure of potential software security vulnerabilities.

Program Rules

  • Notify us as soon as you discover a potential security vulnerability.

  • Only use or access accounts and information that belong to you.

  • Do not destroy or modify data that is not yours.

  • Do not degrade the performance of Trust & Will products and services or our users.

  • Do not perform social engineering, physical, or denial of service attacks on Trust & Will personnel, locations, or assets.

  • Follow HackerOne’s disclosure guidelines, this Vulnerability Disclosure Policy, and all applicable laws.

Scope

  • This policy applies to Trust & Will's products, services, and systems. Always be careful to verify whose assets you are testing while performing research.

  • Vulnerabilities found in vendor systems fall outside of this policy’s scope and should be reported directly to the vendor via their own disclosure programs.

  • If you aren’t sure if a system is in scope or need help reporting a finding to a vendor, contact us at security@trustandwill.com. We’re happy to help!

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Out of Scope Vulnerabilities

  • Attacks requiring MITM or physical access to a user's device.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Clickjacking on pages with no sensitive actions.

  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Any activity that could lead to the disruption of our service (DoS).

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

  • Rate limiting or brute-force issues on non-authentication endpoints.

  • Missing best practices in Content Security Policy.

  • Missing HttpOnly or Secure flags on cookies.

  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).

  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

  • Tabnabbing.

  • Open redirect - unless an additional security impact can be demonstrated.

How to Report a Vulnerability

Privately share full details of the suspected vulnerability with the Trust & Will Security team so we can validate and reproduce the issue.

Email us at security@trustandwill.com.

What we would like to see from you

To help us triage and remediate potential findings, a good vulnerability report should:

  • Describe the vulnerability, precisely where it was discovered, and the real-world impact.

  • Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).

  • Please include one vulnerability per report (unless in an attack chain).

  • Don’t report automated scanner results without proof of exploitability.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

  • Within 5 business days, we will acknowledge that your report has been received.

  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about the remediation process, including on issues or challenges that may delay resolution.

  • We will maintain an open dialogue to discuss issues.

Eligibility

The Trust & Will Bug Bounty program encourages qualified individuals to submit vulnerability reports that detail the identification and exploitation of bugs in certain “in scope” products and services. In certain circumstances, Trust & Will may grant monetary rewards/bounties to the security researcher who submitted the report. While we appreciate every report received, only those researchers that meet the following criteria may be eligible to receive bounty payments:

  • You must be the first researcher to submit a report concerning a specific vulnerability.

  • You must have identified the vulnerability personally, or while working as a part of a team of researchers who all qualify to participate in the Trust & Will bug bounty program.

  • You must not be employed by Trust & Will, its subsidiaries or related entities, currently or within the last 12 months.

  • You must comply with this policy when discovering vulnerabilities and when submitting a vulnerability report.

  • There must be no reason why Trust & Will would be legally prohibited from rewarding you a bounty.

Other Terms and Conditions

Your participation in the Trust & Will Bug Bounty program does not create any kind of employment relationship or partnership between you and Trust & Will. You may not represent yourself as a Trust & Will employee or someone who is affiliated in any way with Trust & Will. You must comply with all applicable laws in connection with your participation in this program. You are responsible for any applicable taxes associated with any reward/bounty you receive. Vulnerability reports received prior to the launch of this program are not eligible for rewards and may not be re-submitted for a reward. You may not utilize any Trust & Will logos, trademarks, or service marks without written authorization from Trust & Will. Trust & Will reserves the right to modify this policy at any time, and without prior notification, by posting an updated version of this document. Trust & Will reserves the right to terminate this program at any time and without prior notice.

Intellectual Property

Participating in the Trust & Will Bug Bounty program does not grant you, or any other third party, any rights to Trust & Will intellectual property, product, or service. All rights not otherwise granted within this policy are expressly reserved by Trust & Will. Regardless if a bounty is awarded for a report submission, you hereby assign to Trust & Will all rights, title, and interest, including all intellectual property rights, for all vulnerability reports submitted. You further represent that you have the right to assign all such rights, titles, and interests to Trust & Will for the submissions, and that your participation in the Trust & Will bug bounty program does not violate any agreement you may have with any other third party, such as your employer.