Tuturuuu security policy for responsible disclosure
How to report vulnerabilities safely, what is in scope, and how we coordinate fixes and public credit.
Report channel
Send vulnerability reports privately
Use one private channel for initial reports so we can triage quickly and protect users while the issue is unresolved.
Responsible disclosure flow
Responsible disclosure works best when reports stay private, reproduction is safe, and verified scope is written precisely.
Report privately
Email security@tuturuuu.com with enough detail to reproduce the issue without publishing it first.
Test safely
Keep testing narrow, avoid customer data, and stop when you have a clear proof of impact.
Credit verified work
When the issue is resolved and the researcher wants recognition, we can publish verified credit in the Hall of Fame.
Scope and boundaries
Focus on vulnerabilities that affect Tuturuuu-managed products, user data, authentication, authorization, or production service integrity.
In scope
Out of scope
Rules of engagement
Please use the smallest proof needed to show impact and avoid actions that could harm customers, workspaces, data, or service availability.
What to include
What happens after you report
We prioritize confirmed impact, communicate next steps, and keep public credit aligned with the verified scope.
Acknowledge
We acknowledge new reports within 24 hours when enough contact information is provided.
Triage
We reproduce or validate the behavior, classify impact, and coordinate remediation.
Credit
Verified researchers can be listed on the Hall of Fame with the name or handle they choose.
Ready to report?
Send the report privately first. We will acknowledge it, validate impact, coordinate a fix, and discuss public credit when the issue is resolved.