AboutContactPricingApps
  • Learning Resources
  • Blog

    Read our latest articles and updates.

  • Changelog

    Stay up to date with our latest product updates and improvements.

  • Careers

    Join our team and help us build the future of Tuturuuu.

  • Partners

    Explore partnership opportunities with Tuturuuu.

  • Contributors

    Meet the people who make Tuturuuu possible.

  • Security

    Learn about our security practices and commitments.

  • Random Generator

    Generate secure IDs, tokens, API keys, and passwords locally in your browser.

  • Branding

    Get Tuturuuu's branding assets and guidelines.

  • UI

    Browse the Tuturuuu UI component library.

  • Documentation

    Find detailed documentation and guides.

Security policy

Tuturuuu security policy for responsible disclosure

How to report vulnerabilities safely, what is in scope, and how we coordinate fixes and public credit.

Report privatelyView Hall of Fame

Report channel

Send vulnerability reports privately

Use one private channel for initial reports so we can triage quickly and protect users while the issue is unresolved.

security@tuturuuu.com
Private inbox
Within 24 hours
Initial response
Optional public credit
Recognition
Process

Responsible disclosure flow

Responsible disclosure works best when reports stay private, reproduction is safe, and verified scope is written precisely.

Report privately

Email security@tuturuuu.com with enough detail to reproduce the issue without publishing it first.

Test safely

Keep testing narrow, avoid customer data, and stop when you have a clear proof of impact.

Credit verified work

When the issue is resolved and the researcher wants recognition, we can publish verified credit in the Hall of Fame.

Scope

Scope and boundaries

Focus on vulnerabilities that affect Tuturuuu-managed products, user data, authentication, authorization, or production service integrity.

In scope

Tuturuuu web products, public app routes, APIs, and workspace features.
Authentication, authorization, session handling, and cross-workspace access controls.
Issues that expose, modify, or destroy user, workspace, billing, or private content.
Public Tuturuuu-controlled domains and integrations where user impact can be shown safely.

Out of scope

Social engineering, phishing, harassment, or attempts to target Tuturuuu staff or users.
Denial-of-service, load testing, spam, automated scanning at scale, or resource exhaustion.
Physical attacks, employee device compromise, or issues requiring stolen credentials.
Provider-native behavior without a demonstrated Tuturuuu product impact.
Safe testing

Rules of engagement

Please use the smallest proof needed to show impact and avoid actions that could harm customers, workspaces, data, or service availability.

Report privately to security@tuturuuu.com before public disclosure.
Use minimal, non-destructive testing and stop once impact is demonstrated.
Do not establish persistence, backdoors, malware, or ongoing access.
Do not access, modify, delete, or exfiltrate data that is not yours.
Do not run denial-of-service, spam, resource exhaustion, or availability-impacting tests.

What to include

A short summary of the vulnerability and the affected Tuturuuu surface.
Clear reproduction steps, screenshots, request logs, or a minimal proof of concept.
The practical security impact and affected users, workspaces, or assets.
Your preferred contact method and public credit name, if you want recognition.
Response

What happens after you report

We prioritize confirmed impact, communicate next steps, and keep public credit aligned with the verified scope.

Acknowledge

We acknowledge new reports within 24 hours when enough contact information is provided.

Triage

We reproduce or validate the behavior, classify impact, and coordinate remediation.

Credit

Verified researchers can be listed on the Hall of Fame with the name or handle they choose.

Ready to report?

Send the report privately first. We will acknowledge it, validate impact, coordinate a fix, and discuss public credit when the issue is resolved.

Email security teamView Hall of Fame
logo
Tuturuuu