Responsible Security Disclosure Policy

We take the security of our services and our users' data very seriously. This document intends to establish the means by which you can report any security vulnerability to us safely, and the measures we will take to rectify it.

We appreciate any disclosure, but we ask that you follow the guidelines below to ensure safety and legal compliance.

If you've discovered a security vulnerability, please report it to us via our dedicated security disclosures email: [email protected]. You can choose to you encrypt your message using PGP, especially if the vulnerability is particularly critical. Our PGP public keys are available at withtir.com/.well-known/pgp.txt.

Please do not report security vulnerabilities through any other means. Reporting directly to [email protected] ensures a quick response from appropriate personnel.

We will investigate all legitimate disclosures sent to us (as described above) and make an effort to resolve them as quickly as possible, as well as notify anyone that may have been affected. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you, provided you comply with the following guidelines on responsible disclosure:

  • → You provide details to reproduce the problem and a Proof of Concept on how it could be exploited. Vulnerabilities that implicate the functionality or security of the user accounts of anyone but the tester need to be reported within 7 days.
  • → You make a good faith effort to avoid privacy violations of any user, destruction of data, or interruption of service.
  • → You do not access or modify any data not belonging to you.
  • → You give us a reasonable time to correct the issue and prevent further abuse before publicly disclosing the vulnerability.

For your assurance,

  • 1. TIR considers that a good-faith security researcher who complies with this policy to access our service has not accessed a computer without authorization or exceeded authorized access.
  • 2. TIR will not bring a copyright infringement claim against any good-faith security researcher who circumvents security mechanisms, so long as the researcher does not access any other code or binaries not pertinent to their research.

PGP Key Details

  • → Email: [email protected]
  • → Fingerprint: FA81 A933 18C2 CD0E 9467 9846 0478 3CE8 31EC 165D