Security
Security & Vulnerability Disclosure Policy
We build offensive tooling for a living, so we take the security of our own systems seriously. If you have found a vulnerability in a TrueCyber service or product, we want to hear from you and we will work with you to fix it quickly and responsibly.
Reporting a vulnerability
Please send your report by email to contact@truecyber.world with a clear subject line such as "Security report". To help us triage and reproduce the issue quickly, include as much of the following as you can:
- The affected asset (URL, host, endpoint, or software product and version).
- A description of the vulnerability and its potential impact.
- Clear, step-by-step instructions to reproduce it, including any required accounts or preconditions.
- Proof-of-concept code, requests, or screenshots where relevant.
- Your name or handle if you would like to be credited publicly.
If you need to share sensitive details, ask us in your first email and we will arrange an encrypted channel. Please report each distinct issue separately so we can track it through to a fix.
Scope
The following assets are in scope for this policy:
- The public website at truecyber.world and its subdomains.
- The member portal at truecyber.world/portal/.
- Our Windows software, including NetHook and CallHook, and their licensing and update endpoints.
The following are out of scope, and reports about them will usually be closed without action:
- Findings that require physical access to a user's device, a rooted or jailbroken device, or a compromised account.
- Reports from automated scanners with no demonstrated, exploitable impact.
- Missing security headers, cookie flags, or TLS configuration issues with no concrete exploit.
- Denial-of-service, volumetric, rate-limiting, or resource-exhaustion testing.
- Social engineering, phishing, or physical attacks against TrueCyber staff, users, or facilities.
- Vulnerabilities in third-party services or dependencies that we do not control (report those to the relevant vendor).
Rules of engagement and safe harbor
We will not pursue legal action against researchers who act in good faith and follow this policy. To stay within safe harbor, please respect the following:
Please do
- Test only against accounts and data that belong to you.
- Stop as soon as you confirm a vulnerability, and report it.
- Give us a reasonable time to remediate before any public disclosure.
- Keep the details of any issue confidential until it is resolved.
Please do not
- Access, modify, or delete data that does not belong to you.
- Degrade, disrupt, or run denial-of-service tests against our services.
- Use automated, high-volume scanning that affects availability.
- Publicly disclose an issue before we have agreed it is resolved.
Our commitment to you
When you report an issue in good faith under this policy, we will:
- Acknowledge your report within 3 business days.
- Triage and validate the issue, and keep you informed of our progress.
- Remediate confirmed vulnerabilities as quickly as is practical, prioritised by severity.
- Credit you publicly for the discovery if you wish, once the issue is fixed.
Recognition
TrueCyber does not currently operate a paid bug bounty program, so we do not offer monetary rewards. We do deeply value the work of the security community: with your permission, we will publicly acknowledge your contribution once the issue has been resolved.
security.txt
A machine-readable version of this policy is published per RFC 9116 at /.well-known/security.txt:
Contact: mailto:contact@truecyber.world Contact: https://truecyber.world/security.me Policy: https://truecyber.world/security.me Preferred-Languages: en, fr Canonical: https://truecyber.world/.well-known/security.txt