Vulnerability Disclosure Policy

How to report a security issue — and what you can expect from us

The short version: We welcome reports of security vulnerabilities. Email tim.j.rice@fairtprm.com with the details, give us a reasonable time to fix the issue before disclosing it publicly, and act in good faith — and we will not pursue legal action against you. This policy also appears in our security.txt.

Fair TPRM ("we," "us," or "our") takes the security of our website and software seriously. We value the work of security researchers and the broader community in helping us keep our users safe. This Vulnerability Disclosure Policy explains how to report a vulnerability to us, what is in and out of scope, and what you can expect in return.

1. Scope

This policy applies to security vulnerabilities discovered in:

Because Fair TPRM is self-hosted software, individual deployments run on infrastructure we do not control. If you find a vulnerability in a specific third-party installation, please report it to the operator of that installation. Report issues in the software itself to us using the details below.

2. How to Report

Please send your report by email to tim.j.rice@fairtprm.com. To help us triage and resolve the issue quickly, please include where possible:

  • A clear description of the vulnerability and its potential impact;
  • The affected URL, endpoint, component, or source file;
  • Step-by-step instructions to reproduce the issue, including any proof-of-concept code, requests, or screenshots;
  • Any relevant configuration or version information;
  • How you would like to be credited, if you wish to be acknowledged.

3. Guidelines for Researchers

When investigating and reporting an issue, we ask that you:

  • Act in good faith to avoid privacy violations, data destruction, and interruption or degradation of our services;
  • Only interact with accounts you own or have explicit permission to test; do not access, modify, or delete data belonging to others;
  • Do not run denial-of-service attacks, spam, social-engineering, or physical attacks against our staff, users, or infrastructure;
  • Use test data rather than real personal information wherever possible, and stop testing and report immediately if you encounter sensitive data;
  • Give us reasonable time to investigate and remediate before publicly disclosing the issue.

4. Out of Scope

The following are generally not considered valid vulnerabilities under this policy unless you can demonstrate a realistic security impact:

  • Reports from automated scanners without a working proof of concept;
  • Missing security headers or cookie flags with no demonstrated exploit;
  • Clickjacking on pages with no sensitive actions;
  • Denial-of-service, rate-limiting, or volumetric issues;
  • Social engineering, phishing, or physical attacks;
  • Best-practice or informational findings (for example, SPF/DKIM/DMARC configuration) with no concrete impact;
  • Vulnerabilities affecting only outdated or unpatched browsers or platforms.

5. Safe Harbor

We consider security research and vulnerability disclosure conducted in accordance with this policy to be authorized and beneficial. If you make a good-faith effort to comply with this policy during your research, we will:

  • Not pursue or support legal action against you related to your research;
  • Work with you to understand and resolve the issue promptly;
  • Not report the matter to law enforcement, provided your activity remains within the guidelines above.

If legal action is initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known. This safe harbor does not apply to activity that is malicious, that intentionally harms our users, or that violates applicable law.

6. Our Commitment to You

When you report a vulnerability in good faith, we will make our best effort to:

  • Acknowledge receipt of your report within 5 business days;
  • Provide an initial assessment and keep you informed of our progress;
  • Work to remediate confirmed issues in a timely manner, prioritized by severity;
  • Credit you in our Security Acknowledgments page, if you wish to be recognized.

We do not currently operate a paid bug-bounty program, so reports are not eligible for monetary rewards. We are, however, sincerely grateful for your contributions.

7. Encryption

If you need to send us sensitive information as part of a report, please contact us first at tim.j.rice@fairtprm.com and we will arrange a secure channel.

8. Changes to This Policy

We may update this policy from time to time. Changes are effective when posted to this page, and we will update the "last updated" date below.

Report a security issue

Email tim.j.rice@fairtprm.com. Machine-readable details are published in our security.txt file.

Last updated: July 2026.