TrustEdge Labs

Responsible disclosure

Report a vulnerability.

If you've found a security issue in any TrustEdge Labs property — this site, TrustGuard, or one of our open-source repositories — we want to hear from you. We commit to taking your report seriously, responding quickly, and giving credit when credit is due.

How to report

Email security@trustedgelabs.dev with:

  • · A clear description of the issue and its impact.
  • · Reproduction steps. A short PoC video or curl is ideal.
  • · Your handle for credit (or "anonymous" if you prefer).
  • · A way to reach you for clarifying questions.

Our commitment

  • · Acknowledgment within 2 business days.
  • · Initial triage and severity within 5 business days.
  • · No legal action against good-faith research conducted under this policy.
  • · Credit on the acknowledgments page (with permission).
  • · A clear timeline to fix and a coordinated disclosure window.

Out of scope

  • · DoS / volumetric attacks against our infrastructure.
  • · Reports requiring physical access to a victim's device.
  • · Social engineering of TrustEdge Labs staff or customers.
  • · Reports about missing security headers without demonstrated impact.
  • · Issues in third-party services we don't control.

Safe harbor

We consider good-faith research authorized only when it stays within this policy and meets all of the following:

  • · It targets only systems we own and operate (this site, TrustGuard, and our open-source repositories).
  • · It avoids privacy violations of any user.
  • · It avoids service disruption of any kind.
  • · It stops immediately on discovery of evidence of sensitive data exposure, and does not download, exfiltrate, or retain such data.

Within those bounds, we will not pursue civil action or initiate a complaint to law enforcement for accidental, good-faith violations of this policy. This policy does not authorize testing of customer systems, third-party services, payment providers, hosting providers, or any infrastructure we do not control.

No bounty by default

We are an independent studio, not a bug bounty program. No payment is promised for reports unless explicitly agreed in writing in advance. We do offer public credit and a thank-you, and may extend a goodwill gesture (swag, a discount on services) for high-impact reports — at our discretion, not on demand.

Coordinated disclosure

Please do not publicly disclose the vulnerability, screenshots, exploit details, or affected endpoints until we have confirmed remediation or given you written permission to publish. We will agree on a coordinated disclosure window with you when we acknowledge your report.

Last updated: 2026-05-17 · security.txt