Security
Responsible Disclosure.
Policy v1.1Last updated: Apr 29, 2026TruepixID — Verified, Not Stored™
Overview
We're grateful to researchers who help keep our platform safe. If you believe you've found a security vulnerability, please report it to us privately so we can investigate and remediate quickly.
01
Our Pledge to Researchers
We commit to working with the security community in good faith. Here's what you can expect from us:
Our commitments
- No blame for good-faith research within this policy
- Acknowledgment within 3 business days, triage in 7
- Transparent, coordinated disclosure and optional credit
02
Scope
What's in scope
- Primary domains: truepixid.com, truepixid.ca, and operated subdomains
- Web app UI, APIs, and backend services we own and operate
- Future mobile apps published by TruepixID (once released)
Out of scope
- Attacks on third-party vendors (cloud, payments, email) directly
- DoS/DDoS, spam, brute force, or resource-exhaustion testing
- Social engineering of staff, customers, or partners
- Physical attacks or threats against facilities or equipment
- Low-risk issues without clear security impact
- Rate-limit stress beyond minimal proof-of-concept
Note: TruepixID is designed not to retain originals ("Verified, Not Stored™"). Do not access, modify, or exfiltrate customer data.
03
Rules of Engagement
- Use test accounts only; never target real customer data
- Minimize impact — no lateral movement or persistence/backdoors
- Don't exfiltrate data. If you can view sensitive info, share redacted screenshots or metadata only
- Stop immediately if you encounter regulated or personal data, and report the finding
- Follow applicable laws at all times
04
Response Timeline
Acknowledgment
≤ 3 business days
Triage status
≤ 7 business days
Remediation plan
Shared for valid issues
05
How to Report
Subject
Vulnerability Report: <short title>IncludeSummary and potential impact · Exact locations (URLs/endpoints/params/versions) · Proof of concept (steps, payloads, screenshots/video) · Scope you tested and assumptions/limits · Your contact and preferred credit (optional)
Need to send sensitive details? Request our security PGP key in your first email.
06
Safe Harbor
We won't pursue legal action against researchers who act in good faith under this policy: avoid privacy violations or service disruption, report promptly, and do not access, share, modify, or destroy data. This does not cover unlawful, exploitative, or out-of-scope activity.
07
Recognition & Bounties
We do not offer monetary bounties at this time.
Valid findings may receive: public recognition (Hall of Fame), optional thank-you swag, and coordinated disclosure credit once a fix is deployed and verified.
08
Data Residency Note
For residency-sensitive features — U.S. (us-east-1) and Canada (ca-central-1) — use test uploads only. Do not attempt cross-region moves or lifecycle tampering.
Found a vulnerability?