Coordinated security disclosure.
TrueSign welcomes coordinated disclosure from independent security researchers and institutional security teams.
Scope
This policy applies to truesignsecurity.com, customer-accessible TrueSign endpoints, and the TrueSign client SDKs.
Contact
Submit reports to charlesc@dataworldone.com with subject "Security report, coordinated disclosure". PGP key available on request.
Safe harbor
Good-faith research conducted within this policy will not be subject to legal action by Data World 1, LLC. Researchers must avoid disruption to customer services, must not access or alter production data beyond what is necessary to demonstrate the issue, and must respect customer confidentiality.
Out of scope
Denial-of-service testing, social engineering of TrueSign personnel or customers, physical attacks, and testing against production cryptographic key material.
Acknowledgement
Validated reports are acknowledged within five business days. Coordinated public disclosure is negotiated in good faith following remediation.
- [1]ISO/IEC 29147:2018, Information technology, Security techniques, Vulnerability disclosure.
- [2]ISO/IEC 30111:2019, Information technology, Security techniques, Vulnerability handling processes.
- [3]CISA Coordinated Vulnerability Disclosure Process. https://www.cisa.gov/coordinated-vulnerability-disclosure-process
- [4]Computer Fraud and Abuse Act, 18 U.S.C. § 1030, referenced for safe-harbor scope construction.
Citations are provided for transparency. Authoritative interpretation of any cited statute, regulation, or standard rests with the issuing body and qualified counsel in the relevant jurisdiction.