Skip to main content

Vulnerability Disclosure Policy

Torvus Security welcomes responsible disclosure of security vulnerabilities by security researchers.

Overview​

We believe that working with skilled security researchers is critical to identifying weaknesses in our systems. We encourage responsible disclosure and appreciate your efforts to help us maintain the security of our platform.

Our Commitment:

  • We will respond to your report within 24 hours
  • We will keep you informed of our progress throughout the investigation
  • We will credit you in our security acknowledgments (if you wish)
  • We will not take legal action against researchers who follow this policy

Scope​

In Scope​

The following systems and applications are in scope for vulnerability reports:

Primary Applications:

  • app.torvussecurity.com - Main web application
  • api.torvussecurity.com - REST API
  • docs.torvussecurity.com - Public documentation

Mobile Applications (when available):

  • iOS application
  • Android application

Acceptable Vulnerability Types:

  • Authentication and authorization flaws
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection
  • Server-Side Request Forgery (SSRF)
  • Remote Code Execution (RCE)
  • Privilege escalation
  • Insecure Direct Object References (IDOR)
  • Business logic vulnerabilities
  • Cryptographic vulnerabilities
  • Information disclosure

Out of Scope​

The following are explicitly out of scope and will not be accepted:

Systems:

  • Third-party services (AWS, Supabase, Vercel, Cloudflare)
  • Employee email accounts or corporate systems
  • Physical security of Torvus offices
  • Social engineering attacks

Vulnerability Types:

  • Self-XSS (requires user interaction)
  • Clickjacking on pages with no sensitive actions
  • Open redirects (unless critical business impact)
  • Missing security headers (without proof of exploitability)
  • Rate limiting bypass (without business impact)
  • Username/email enumeration
  • Reports from automated scanners without verification
  • Denial of Service (DoS) attacks
  • Spam or phishing attacks
  • Previously reported vulnerabilities

Reporting a Vulnerability​

How to Report​

Email: security@torvussecurity.com

PGP Encryption (optional but recommended for sensitive reports):

-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP Public Key for security@torvussecurity.com]
-----END PGP PUBLIC KEY BLOCK-----

HackerOne (coming soon):

  • Private bug bounty program launching Q1 2026
  • Public program planned for Q3 2026

What to Include​

Please provide the following information in your report:

Required Information:

  1. Vulnerability Type: XSS, CSRF, SQL Injection, etc.
  2. Affected URL/Endpoint: Specific page or API endpoint
  3. Steps to Reproduce: Clear, numbered steps
  4. Proof of Concept (PoC): Code, screenshots, or video
  5. Impact: Severity and potential consequences
  6. Your Name/Handle: For acknowledgment (optional)

Optional but Helpful:

  • Affected version (for mobile apps)
  • Browser/device information
  • Suggested remediation
  • Related CVEs or research
  • Timeline of your research

Example Report​

**Vulnerability Type**: Reflected Cross-Site Scripting (XSS)

**Affected URL**:
https://app.torvussecurity.com/search?q=[PAYLOAD]

**Steps to Reproduce**:
1. Navigate to https://app.torvussecurity.com/search
2. Enter the following payload in search field: <script>alert(document.cookie)</script>
3. Submit search
4. Observe JavaScript execution in browser

**Proof of Concept**:
[Screenshot showing alert dialog with session cookie]

**Impact**:
- Severity: High
- Attack vector: User must click malicious link
- Potential impact: Session hijacking, account takeover
- Affected users: All authenticated users

**Suggested Remediation**:
Encode special characters in search query before rendering:
- HTML entity encoding
- Content Security Policy (CSP)
- X-XSS-Protection header

**Reporter**: Jane Smith (jane@securityresearcher.com)

Response Process​

Timeline​

StageTimeframeDescription
Initial ResponseLess than 24 hoursAcknowledgment of report receipt
Triage1-3 daysSeverity assessment and validation
Investigation3-14 daysReproduction and impact analysis
Remediation7-90 daysFix development and deployment
DisclosureAfter fixPublic disclosure (coordinated)

Severity Levels​

We use CVSS 3.1 scoring for vulnerability severity:

SeverityCVSS ScoreResponse TimeExamples
Critical9.0-10.0<24 hoursRCE, SQL Injection with data access
High7.0-8.9<3 daysAuth bypass, privilege escalation
Medium4.0-6.9<7 daysXSS, CSRF, IDOR
Low0.1-3.9<30 daysInformation disclosure, missing headers

What to Expect​

Acknowledgment (Day 1):

Subject: [VULN-2025-001] Acknowledgment of Vulnerability Report

Hi Jane,

Thank you for reporting this vulnerability. We have received your report and assigned it tracking ID VULN-2025-001.

Our security team is reviewing the issue and will follow up within 3 business days with an initial assessment.

Best regards,
Torvus Security Team

Triage (Day 3):

Subject: [VULN-2025-001] Vulnerability Confirmed - High Severity

Hi Jane,

We have confirmed the XSS vulnerability you reported. Initial assessment:

- Severity: High (CVSS 7.8)
- Status: Confirmed, reproducible
- Affected versions: All current versions
- Remediation timeline: Fix planned for next release (Oct 15, 2025)

We will keep you updated on remediation progress. Thank you for your responsible disclosure.

Best regards,
Torvus Security Team

Resolution (Day 30):

Subject: [VULN-2025-001] Vulnerability Resolved

Hi Jane,

The XSS vulnerability (VULN-2025-001) has been resolved and deployed to production.

Fix deployed: October 15, 2025
CVE assigned: CVE-2025-XXXXX
Credit: Jane Smith
Reward: $500 (if bug bounty active)

We plan to publicly disclose this vulnerability on November 15, 2025 (30 days post-fix). Please let us know if you would prefer a different disclosure date or wish to remain anonymous.

Thank you again for your responsible disclosure.

Best regards,
Torvus Security Team

Rewards & Recognition​

Security Hall of Fame​

We maintain a public Security Hall of Fame acknowledging researchers who have responsibly disclosed vulnerabilities:

2025 Contributors:

  • Jane Smith - XSS vulnerability (October 2025)
  • John Doe - IDOR vulnerability (September 2025)
  • Security Researcher - Auth bypass (August 2025)

View full hall of fame �

Bug Bounty Program​

Status: Launching Q1 2026

Reward Ranges (estimated):

  • Critical: $1,000 - $5,000
  • High: $500 - $1,000
  • Medium: $250 - $500
  • Low: $100 - $250

Payment Methods:

  • PayPal
  • Bank transfer
  • Cryptocurrency (BTC, ETH)
  • Charitable donation (in your name)

Eligibility:

  • First to report (no duplicates)
  • Follows responsible disclosure policy
  • Provides clear proof of concept
  • Does not publicly disclose before fix

Swag​

For valid vulnerability reports, we offer Torvus Security swag:

  • T-shirts
  • Hoodies
  • Stickers
  • Coffee mugs

Responsible Disclosure Guidelines​

Do's ​

  1. Give Us Time to Fix: Allow reasonable time for remediation before public disclosure (90 days minimum)
  2. Report Only to Us: Do not disclose to third parties before we've had a chance to fix
  3. Provide Proof of Concept: Include steps to reproduce and evidence of impact
  4. Use Test Accounts: Create test accounts for testing, don't access other users' data
  5. Report Promptly: Report vulnerabilities as soon as you discover them
  6. Follow the Law: Comply with all applicable laws and regulations

Don'ts L​

  1. Don't Access Others' Data: Do not access, modify, or delete other users' data
  2. Don't Launch DoS Attacks: Do not perform attacks that degrade service availability
  3. Don't Use Automated Scanners: Do not use automated vulnerability scanners without permission
  4. Don't Social Engineer: Do not attempt to social engineer Torvus employees or customers
  5. Don't Publicly Disclose Prematurely: Do not disclose vulnerabilities before fix is deployed (90-day embargo)
  6. Don't Demand Ransom: Do not threaten to publicly disclose unless we pay

Safe Harbor​

We consider security research conducted in accordance with this policy to be:

  • Authorized: We will not initiate legal action against researchers
  • Lawful: Research conducted in good faith under this policy
  • Beneficial: We value and encourage responsible disclosure

Legal Protection:

  • We will not pursue civil action for unintentional, good faith security research
  • We will not report security researchers to law enforcement
  • We will work with you to resolve any legal concerns

If Law Enforcement Contacts You:

  • If you are contacted by law enforcement regarding security research on Torvus systems, please contact us immediately at legal@torvussecurity.com
  • We will work with law enforcement to explain that your research was authorized

Coordinated Disclosure​

We prefer coordinated disclosure (also known as responsible disclosure):

Disclosure Timeline​

  1. Day 0: Vulnerability reported to Torvus
  2. Day 1: Acknowledgment from Torvus
  3. Day 1-14: Triage and validation
  4. Day 14-90: Fix development and deployment
  5. Day 90: Public disclosure (if fix not deployed)
  6. Fix + 30 days: Coordinated public disclosure

Public Disclosure​

When We Disclose:

  • 30 days after fix deployment (coordinated with reporter)
  • 90 days after initial report (even if not fixed, for transparency)

What We Disclose:

  • Vulnerability description (general, not exploit details)
  • Affected versions
  • Remediation advice
  • Credit to researcher (if desired)
  • CVE identifier (if assigned)

Where We Disclose:

  • Security advisory on our website
  • Blog post for significant vulnerabilities
  • Email to affected customers (if applicable)
  • CVE database (if applicable)

Exclusions​

The following activities are prohibited and may result in legal action:

  1. Physical Attacks: Attempting physical access to Torvus facilities
  2. Social Engineering: Phishing, pretexting, or manipulating employees
  3. Denial of Service: DoS/DDoS attacks, resource exhaustion
  4. Data Destruction: Deleting or modifying production data
  5. Spam: Sending unsolicited emails or messages
  6. Harassment: Harassing employees, customers, or other researchers
  7. Extortion: Demanding payment or threatening public disclosure

Contact Information​

Security Team Email: security@torvussecurity.com

PGP Fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX

Response Time: <24 hours for all reports

Office Hours Support: Monday-Friday, 9 AM - 5 PM PST

Emergency: For critical vulnerabilities actively being exploited, call our security hotline at 1-800-XXX-XXXX

Frequently Asked Questions​

Q: Will I get in trouble for reporting a vulnerability? A: No. We consider good-faith security research authorized under this policy and will not take legal action.

Q: How long does the process take? A: We acknowledge reports within 24 hours. Critical issues are fixed within days; lower-severity issues may take 30-90 days.

Q: Can I publicly disclose the vulnerability? A: Yes, but please allow us 90 days to fix the issue first. Coordinated disclosure 30 days after fix is preferred.

Q: Do you offer monetary rewards? A: Bug bounty program launching Q1 2026 with rewards up to $5,000. Currently, we offer recognition and swag.

Q: Can I test on production systems? A: Yes, but please limit testing to non-destructive actions. Do not access other users' data or perform DoS attacks.

Q: What if you don't respond to my report? A: We respond to all reports within 24 hours. If you don't hear from us, please follow up or contact legal@torvussecurity.com.

Thank you for helping us keep Torvus Security safe and secure.

Last Updated: October 8, 2025