Vulnerability Disclosure Policy — Tarosyn

Tarosyn welcomes responsible security research. This page defines the scope, safe-harbor protections, and response timeline for vulnerability disclosures.

Scope

• tarosyn.com and all subdomains
• Tarosyn iOS and Android mobile apps (com.tarosyn.app)
• The Tarosyn public API

Out of Scope

• Third-party services (Stripe, Apple, Google, OpenAI)
• Social engineering attacks against employees
• Physical security

Safe Harbor

Tarosyn will not initiate legal action against researchers who discover and report security vulnerabilities in good faith, provided they do not exfiltrate data beyond what is necessary to demonstrate the issue, and do not degrade service availability.

How to Report

Email [email protected] with a description of the vulnerability, steps to reproduce, and your assessment of severity. You will receive an acknowledgement within 24 hours.

Response Timeline

• Acknowledgement: within 24 hours
• Initial triage: within 5 business days
• Resolution target: 30–90 days depending on severity
• Credit in Security Acknowledgements upon request

Security Policy · Trust Center · Acknowledgements