trussnote
Legal

Security Policy

Responsible disclosure policy for TrussNote. Last updated April 5, 2026.

Overview

TrussNote takes the security of our platform and our customers' data seriously. We welcome reports from security researchers who discover potential vulnerabilities in our systems. This policy outlines how to report vulnerabilities, what you can expect from us, and the terms under which you may conduct security research.

In scope

  • www.trussnote.com and all subdomains
  • TrussNote web application and API endpoints
  • Authentication and session management
  • Data exposure or unauthorized access to customer data
  • Injection vulnerabilities (SQL, command, SSRF)
  • Cross-site scripting (XSS) and cross-site request forgery (CSRF)
  • Business logic flaws with security impact

Out of scope

  • Denial of service attacks (DoS/DDoS)
  • Spam or social engineering attacks
  • Physical attacks against TrussNote infrastructure
  • Vulnerabilities in third-party services we depend on (report to them directly)
  • Rate limiting issues without a demonstrated security impact
  • Missing security headers without a proof-of-concept exploit
  • Findings from automated scanners without manual validation

How to report

Send your report to security@trussnote.com. For sensitive reports, encrypt your email using our PGP key available at /pgp-key.txt.

Your report should include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and severity in your assessment
  • Any proof-of-concept code or screenshots
  • Your name and contact information (optional — anonymous reports accepted)

Response timeline

AcknowledgmentWithin 2 business days

We will confirm receipt of your report.

Initial assessmentWithin 5 business days

We will assess severity and confirm whether it is in scope.

Status updateWithin 10 business days

We will provide an update on our remediation plan.

ResolutionVaries by severity

Critical issues within 7 days, high within 30 days, others within 90 days.

Safe harbor

When you conduct security research in good faith under this policy, we consider your research to be authorized. We will not pursue legal action against researchers who: discover and report vulnerabilities according to this policy, avoid privacy violations and disruption to our services, do not access or modify customer data, and act in good faith throughout the disclosure process. We ask that you give us reasonable time to address the issue before any public disclosure.

Found a vulnerability?

Email us at security@trussnote.com

PGP key for encrypted reports