Responsible Disclosure

Responsible Disclosure Policy

This page is intended for security researchers that have an interest in looking for vulnerabilities on truework.com. If you find a vulnerability on our website we strongly encourage you to reach out to our team as soon as possible. To encourage responsible disclosure of vulnerabilities, Truework will not bring a lawsuit if you follow the guidelines below and will make sure to thank and mention you on this page or any page that lists researchers that have contributed to make our website more secure.

How to report a security vulnerability

All vulnerabilities should be reported via email to admin@truework.com.

Please do

Notify Truework and provide us details of the issue. If you have reproduction steps please make sure to indicate them. Before going public, please allow for a reasonable amount of time for our team to assess and fix it.

Stay in contact with our team in case we need additional information. We will keep you up-to-date with the progress of the fix.

Avoid, as much as possible, disruption of our service as you investigate.

Please do not

Attempt to phish Truework employees.

Attempt to phish users of our platform.

Request compensation from Truework or share any vulnerabilities before we indicate that the issue has been fixed on our side.

Exploit the security issue once it has been confirmed to work.

Send raw reports from automated tools without providing a proof-of-concept.

In-scope vulnerabilities

SQL Injections issues

Attacks giving unauthorized access to our users' information (User data exposure)

Attacks giving unauthorized access to our employees' information (Employee data exposure)

Authentication related issues

Authorization related issues

CSRF issues

XSS issues

Out of scope vulnerabilities

Denial of service attack on our domains

Brute forcing passwords or URL paths

Phishing/social engineering of our users

Issues present in old browsers

User listing through enumeration

Responsible Disclosure Program