Policy
- 90-day coordinated disclosure window.
- 48-hour initial acknowledgement target.
- Good-faith researchers are welcome.
Responsible Disclosure
If you discover a security issue, email us at security@trucore.xyz.
Last updated: 2026-04-06
In Scope
- TruCore web application routes.
- Public and authenticated API endpoints.
Out of Scope Examples
- Denial-of-service and traffic flooding.
- Social engineering, phishing, or physical attacks.
- Issues in third-party infrastructure outside direct TruCore control.
Read the broader posture on Security Overview.