This page is intended for security researchers that have an interest in looking for vulnerabilities on truework.com. If you find a vulnerability on our website we strongly encourage you to reach out to our team as soon as possible. To encourage responsible disclosure of vulnerabilities, Truework will not bring a lawsuit if you follow the guidelines below and will make sure to thank and mention you on this page or any page that lists researchers that have contributed to make our website more secure.

How to report a security vulnerability

All vulnerabilities should be reported via email to security@truework.com.

Please do

• Notify Truework and provide us details of the issue. If you have reproduction steps please make sure to indicate them. Before going public, please allow for a reasonable amount of time for our team to assess and fix it.
• Stay in contact with our team in case we need additional information. We will keep you up-to-date with the progress of the fix.
• Avoid, as much as possible, disruption of our service as you investigate.

Please do not

• Attempt to phish Truework employees.
• Attempt to phish users of our platform.
• Request compensation from Truework or share any vulnerabilities before we indicate that the issue has been fixed on our side.
• Exploit the security issue once it has been confirmed to work.
• Send raw reports from automated tools without providing a proof-of-concept.

In-scope vulnerabilities

• SQL Injections issues
• Attacks giving unauthorized access to our users' information (User data exposure)
• Attacks giving unauthorized access to our employees' information (Employee data exposure)
• Authentication related issues
• Authorization related issues
• CSRF issues
• XSS issues

Out of scope vulnerabilities

• Denial of service attack on our domains
• Brute forcing passwords or URL paths
• Phishing/social engineering of our users
• Issues present in old browsers
• User listing through enumeration