top of page

VULNERABILITY DISCLOSURE.

1. Introduction and Purpose

At TransLTR, we are committed to protecting the security of our customers and systems. This Vulnerability Disclosure Policy (VDP) provides clear guidelines for security researchers to conduct vulnerability discovery activities and report findings to us responsibly.

We believe that working with the security community is crucial for continuous security improvement. We commit to prompt communication, remediation, and non-pursuit of legal action for good-faith activities that comply with this policy.

2. Authorization and "Safe Harbor"

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized.

TransLTR will not recommend or pursue legal action against you for:

● Bypassing security controls solely to identify a vulnerability.

● The actual discovery of a vulnerability.

● Actions that are necessary to demonstrate the vulnerability.

Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, we will take steps to make this authorization known.

3. Guidelines for Responsible Research

Researchers must adhere to the following principles:

⚠️ What You MUST NOT Do (Prohibited Activities)

● Do not attempt to modify or delete data, or pivot to other systems.

● Do not access or download unnecessary, excessive, or significant amounts of sensitive data (including Personally Identifiable Information/PII, financial, or proprietary information).

● Do not engage in any activities that could degrade the user experience, disrupt our production systems, or damage data (e.g., Denial of Service/DoS or Distributed Denial of Service/DDoS attacks, or high-volume automated scanning).

● Do not use physical attacks, social engineering (e.g., phishing, vishing), or non-technical means against our employees, contractors, or infrastructure.

● Do not demand financial compensation or other rewards as a condition of reporting the vulnerability.

✅ What You MUST Do

● Notify us immediately upon discovering a real or potential security issue.

● Stop your test immediately upon confirming the existence of a vulnerability or encountering any sensitive data.

● Provide sufficient detail in your report to allow us to reproduce the vulnerability (see Section 5).

● Do not disclose the vulnerability publicly until we have agreed on a coordinated disclosure timeline (see Section 6).

 

4. Scope (Systems Covered)

This policy applies to the following systems and assets owned, operated, and maintained by TransLTR:

Asset Type

In-Scope Examples

Out-of-Scope Examples

Primary Web Properties

*.tlr-services.nettransltr.com api.yourcompanydomain.com

Third-party services, marketing sites (e.g., blog.yourcompanydomain.com)

Mobile Applications

[List specific App names/platforms, e.g., iOS and Android applications]

Third-party mobile libraries

 

Note: Any system not explicitly listed above is considered Out-of-Scope. Testing against out-of-scope systems may be considered unauthorized.

 

5. Reporting a Vulnerability

We accept vulnerability reports via the following secure channel:

● Dedicated Email: forensics@tlr-services.net

● Secure Form (if applicable): [Link to a secure submission form, if available]

● PGP Key (Optional): [Link to your PGP Public Key for encrypted reports]

 

What to Include in Your Report

To help us triage and prioritize submissions efficiently, we request that your report include:

1. Vulnerability Description: A brief, clear summary of the issue (e.g., "Stored XSS on user profile page").

2. Location: The URL or IP address where the vulnerability was discovered.

3. Steps to Reproduce (Proof of Concept): A detailed, step-by-step description of how to exploit the vulnerability. Code snippets, screenshots, or proof-of-concept scripts are highly valuable.

4. Impact: The potential risk or damage if the vulnerability were exploited by a malicious actor.

5. Contact Information: Your name/handle and preferred contact method (optional, but required for acknowledgment). Reports may be submitted anonymously.

 

6. Our Commitment to You (What to Expect)

When you submit a report to us, you can expect the following:

● Acknowledgment: We will acknowledge receipt of your report within 5 business days.

● Confirmation & Triage: We will work to confirm the existence of the vulnerability and prioritize it based on its severity.

● Regular Updates: We will keep you informed of our progress towards remediation. We ask that you limit status inquiries to no more than once every 10 days.

● Resolution: We strive to resolve all valid vulnerabilities as quickly as possible.

● Public Credit: If requested, we will publicly recognize your contribution on our Hall of Fame/Acknowledgments pageafter the issue has been resolved.

 

7. Coordinated Disclosure

We require researchers to coordinate any public release of information with us. We ask that you refrain from sharing information about the vulnerability for 90 days after we acknowledge receipt of your report, or until we have publicly announced the fix, whichever is sooner.

bottom of page