TrustSource Security policy

Expires: 2026-01-10T20:00:00.000Z

At TrustSource we are concerned with the security of your solutions. As our solutions are part of your solution, we also take the security of our solutions very serious. The following segments will help you finding your path across our security support offerings.

Security Information

For information regarding the security of our solutions, you may

get an understanding of the service status at our System Status Page
understand your and our responsibilities by reading the Shared Security Responsibility Model
follow our RSS feed on vulnerability disclosures at Vulnerability Disclosure Feed
get the Meta data on our CSAF provider
find tool or solution specific security information in the SECURITY.TXT provided in the root of each code repository

PLEASE DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO ANY OF THESE CONTACTS OR PAGES. USE THE INSTRUCTIONS BELOW FOR VULNERABILITY REPORTING TO ALLOW US A COORDINATED VULNERABILITY DISCLOSURE.

We appreciate and credit all security researchers and friends that support our and our clients security. You will find a list of people that successfully identified, reported a vulnerability in our services in our hall of fabulous security researchers. Occasionally we might run a bug bounty. If you are interested to be invited, feel free to reach out using our Security Contacts Form.

Reporting a vulnerability

Please use the below process to report a vulnerability to us:

Report by Email:

Email to support @ trustsource.io using the subject Security Alert
- Emails should contain:
  - description of the situation and brief issue
  - precise and detailed steps (include screenshots) that will let us reproduce the issue
  - the affected tool(s) and version(s)
  - if of relevance, your environment or
  - any possible mitigations, if known
  - your contact details, so that we may return with questions and know, whom to credit
Please encrypt your message for preventing unwanted 3rd party access to your information by using our public PGP key:

TrustSource Public Key for Vulnerability Disclosure

—–BEGIN PGP PUBLIC KEY BLOCK—–

mDMEZ8mVABYJKwYBBAHaRw8BAQdAKaJDF5z4SVLY6QWbvGOumHzYy3SwiZO4675h
vRWUIfu0LFRydXN0c291cmNlIFN1cHBvcnQgPHN1cHBvcnRAdHJ1c3Rzb3VyY2Uu
aW8+iJkEExYKAEEWIQTC/VJX2vOkYV1Ovo1r72GPkZsUxQUCZ8mVAAIbAwUJA4B8
AAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRBr72GPkZsUxd/kAP9RmiMB
XmRhVWUu2bpVPGZ5Y5d1YHpfNoHc73P4On9U+AD9FRlju+xM96HlW/W1QoijMsgM
CIrT4quEHyRVT4FBIAS4OARnyZUAEgorBgEEAZdVAQUBAQdAYXgN7RKGHDcF40Wl
+1UjaG+ZHovuI1yWv2+yntnf208DAQgHiH4EGBYKACYWIQTC/VJX2vOkYV1Ovo1r
72GPkZsUxQUCZ8mVAAIbDAUJA4B8AAAKCRBr72GPkZsUxVT7AP9U0GGQZsfW+fwk
vC8rjwPtCyTzKB6EWUTCh7ZO+KubCQD+Im+8wA1HwBSA5GO8zZE9M+bP6FS4En47
emHrCtOwiww=
=X+VR
—–END PGP PUBLIC KEY BLOCK—–

Fingerprint for verification: C2FD5257DAF3A4615D4EBE8D6BEF618F919B14C5

How to encrypt using a private key?

You will download the above key and use it to encrypt your content. This will ensure, that only we will be able to read it.

1. 1. 1. Open the above section and mark the complete key including the —Begin— and —End— separators.
    2. Store it as a simple text file on your device, naming it e.g. “ts-pubkey.txt”
    3. Ensure you have GPG available by opening command line and entering
```
gpg --version"
```
      - if you get an answer, you have GPG installed and can continue with #4
      - if not, see here for the installation of GPG tools or your platform.
    4. Store your description / message in a file – say myMsg.txt – in the same directory.
    5. Now import our key using
```
gpg --import ts-pubkey.txt
```
    6. To encrypt your message use the following command:
```
gpg --encrypt -r support@trustsource.io -o myMsg.gpg myMsg.txt
```
    And you are almost done. Now post the content of the file myMsg.gpg into the webform or attach it to your email and send it to us.
    
    Thank you for your support!!

1. - You will receive a reply from one of our engineers within 1 working day acknowledging receipt of the email.
  - You may be contacted by one of our engineers to further discuss the reported item. Please bear with us as we seek to understand the breadth and scope of the reported problem, recreate it, and confirm if there is a vulnerability present.

Alternatively, you also may use our web form:

1. 1. Please visit https://www.trustsource.io/contact-security
    - You will receive a confirmation email upon submission
  2. You may be contacted by one of our engineers to further discuss the reported item within 1 working day. Please bear with us as we seek to understand the breadth and scope of the reported problem, recreate it, and confirm if there is a vulnerability present.

Disclosure:

We will process the information as fast as possible. However, depending on clarity of documentation, impact and mitigation options this may take a while. However, you may assume that we will stick to a 90 days disclosure timeline max.