TrustedOrb logo
Book a Consult
Security Program

Responsible Disclosure

TrustedOrb welcomes responsible disclosure reports that may affect the security of our website, domains, and online infrastructure under our control. This page explains how to report a potential security issue safely, what is in scope, and the minimum rules we ask you to follow.

[email protected]
Good-Faith Program
Last updated: 25 May 2026

Security Reporting Contact

Security Reporting Email
[email protected]

Suggested subject: [Security] Vulnerability Report

This is not an emergency incident channel. For active incidents, use the phone contact channel indicated on the website. [email protected] is intended for responsible vulnerability disclosure.

01

How to Report a Vulnerability

Please email: [email protected]. Do not submit vulnerability reports by phone, Microsoft Bookings, or social media channels. Where possible, include:

  • a clear description of the issue and the expected impact;
  • exact reproduction steps;
  • affected URLs and components;
  • non-intrusive evidence (e.g., screenshots, sanitized request/response samples, relevant logs);
  • approximate date/time of testing;
  • a contact method for follow-up.

Please redact passwords, tokens, personal data, and any information that is not necessary to demonstrate the issue.

02

Good-Faith Testing Rules

To keep the process safe and responsible, please:

  • test only to the extent necessary to validate the vulnerability;
  • do not access, modify, copy, or exfiltrate any data you do not own (including personal data);
  • do not perform actions that may degrade availability (e.g., DoS/DDoS, aggressive load testing);
  • do not use social engineering (phishing, pretexting) against our staff/contractors;
  • do not attempt physical access, attacks against providers, spam, brute force, malware, persistence, or lateral movement;
  • do not publicly disclose vulnerability details before the issue is confirmed and addressed.

Important: If you accidentally encounter sensitive data, stop testing immediately and mention it in your report.

03

Scope (In Scope / Out of Scope)

In Scope

  • the trustedorb.com domain and official subdomains under TrustedOrb control;
  • public pages, static assets, and public endpoints operated by TrustedOrb;
  • website misconfigurations that could lead to unauthorised access, privilege escalation, data disclosure, or code execution.

Out of Scope

  • third-party systems/services not directly controlled by TrustedOrb, including Microsoft Bookings, Microsoft 365, LinkedIn, YouTube, X, Google, Cloudflare, or cyberfolks, unless the issue is directly caused by a TrustedOrb configuration;
  • reports based solely on automated scanning without validation or demonstrated impact;
  • missing security headers or configuration findings without a realistic exploitation scenario;
  • version disclosure, error messages without demonstrated impact, or duplicate reports;
  • non-security issues (e.g., cosmetic or content-related bugs).
04

What to Expect from Us (Response Times)

We aim to:

  • acknowledge receipt within 5 business days;
  • perform an initial triage and provide a status update or follow-up questions depending on complexity.

Remediation timelines may vary based on severity, complexity, and technical dependencies.

We do not offer monetary rewards or other benefits for reports unless a separate program is explicitly announced by TrustedOrb.

05

Safe Harbor (Good-Faith)

If you act in good faith, follow the rules above, and limit testing to what is strictly necessary to identify and report the vulnerability, TrustedOrb does not intend to pursue legal action against you for research activities conducted within these limits, to the extent permitted by law.

Note: This is not an authorisation for intrusive testing and does not cover malicious activity, unauthorised data access, deliberate service disruption, impact to third parties, or any unlawful conduct.

06

Confidentiality

We treat security reports as confidential and use them solely for investigation and remediation. Please avoid including personal data or sensitive information that is not necessary to demonstrate the issue.

If you need to share sensitive details, mention this in your email and TrustedOrb will propose an appropriate secure communication option, if available.

Personal data processing associated with reporting is described in the Privacy Policy. Cookies and similar technologies are described in the Cookie Policy.