Responsible Disclosure Policy

Trusted Path Ltd welcomes reports from security researchers, customers, and members of the public worldwide who identify potential vulnerabilities in our platform or infrastructure. This policy sets out how to report a vulnerability to us, what you can expect from us in return, and the boundaries of responsible research.

We do not operate a paid bug bounty programme at this time. However, we genuinely value good-faith security research and commit to treating every report with care and transparency.

In Scope

• Trusted Path platform — the web application accessible at trustedpath.biz and any associated subdomains.
• Authentication and access control — login flows, session management, and role-based access mechanisms.
• API endpoints — any publicly documented or discoverable API endpoints served by Trusted Path.
• Data exposure — any unintended exposure of customer data, configuration, or credentials.

Out of Scope

• Third-party services or infrastructure not directly operated by Trusted Path (e.g. cloud providers, payment processors, identity providers).
• Vulnerabilities in software or libraries that have not yet been patched by their upstream maintainers, where Trusted Path has no immediate mitigating action available.
• Social engineering attacks against Trusted Path staff or customers.
• Physical security.
• Denial-of-service (DoS or DDoS) testing of any kind.
• Automated scanning that generates excessive traffic or degrades service for other users.

Send your report by email to security@trustedpath.biz. Please use the subject line "Vulnerability Report" followed by a brief description of the issue.

If you believe the vulnerability is particularly sensitive or involves exposure of personal data, you may request our PGP public key from the same address before submitting your report.

Please do not raise vulnerability reports via public issue trackers, social media, or any channel other than the email address above.

A useful report helps us reproduce and triage the issue quickly. Please include as much of the following as possible:

• Description — a clear summary of the vulnerability and its potential impact.
• Steps to reproduce — a numbered, step-by-step sequence that reliably demonstrates the issue.
• Affected URL or component — the specific endpoint, page, or feature involved.
• Evidence — screenshots, HTTP request/response captures, or proof-of-concept code. Please limit any proof-of-concept to the minimum necessary to demonstrate the vulnerability; do not extract, copy, or retain any data beyond that point.
• Suggested severity — your assessment of the criticality (e.g. Critical, High, Medium, Low) and why.
• Your contact details — a name or handle and email address so we can respond to you.

Where a report is submitted in good faith and in accordance with this policy, Trusted Path commits to the following:

• Safe harbour — we will not pursue civil or criminal action against you solely in connection with research conducted in good faith under this policy.
• Acknowledgement — we will acknowledge receipt of your report within the timelines set out in Section 7.
• Transparency — we will keep you informed of our progress and notify you when the vulnerability has been remediated.
• Confidentiality — we will not share your personal details with third parties without your consent, except where required by applicable law.
• No retaliation — we will not threaten, intimidate, or seek to identify you for the purpose of taking adverse action.

Safe harbour applies only where the research did not involve wilful damage, unauthorised access to data beyond the minimum required to demonstrate the vulnerability, or breach of any applicable law.

In return for our commitments, we ask that researchers:

• Only test against accounts and data they own or have explicit written permission to test.
• Stop testing immediately upon discovering a potential vulnerability and report it to us without further exploitation.
• Do not access, copy, modify, delete, or retain any customer data beyond what is strictly necessary to demonstrate the issue.
• Do not interrupt or degrade the platform for other users.
• Keep the details of any unpatched vulnerability strictly confidential until Trusted Path has confirmed remediation or has agreed a coordinated disclosure date with the researcher.
• Act in good faith throughout, with the aim of improving security rather than causing harm.

We aim to respond to all reports within the following timelines. These are targets, not guarantees, and may vary depending on complexity and severity.

If we are unable to meet a timeline due to the complexity of a fix, we will communicate this to you proactively and agree a revised schedule.

We do not currently offer monetary rewards. However, we sincerely appreciate the time and expertise of researchers who help us improve the security of our platform.

Where a report leads to a confirmed vulnerability being remediated, we will, with your permission:

• Acknowledge you by name or handle in our internal security log.
• Where we publish a public security advisory, credit you as the reporting researcher.

If you prefer to remain anonymous, simply let us know in your report and we will respect that preference.

Governing Law

This policy is governed by and construed in accordance with the law of England and Wales. Nothing in this policy limits or excludes any rights you may have under the laws of your own jurisdiction.

Changes to This Policy

Trusted Path may update this policy from time to time. The current version will always be published at trustedpath.biz/responsible-disclosure. Material changes will be noted in the version history below.

Version History