Tirro

Security & Vulnerability Disclosure Programme

To help us investigate effectively, please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code
  • The potential impact of the issue, if known

We aim to acknowledge receipt of reports in a timely manner.

Scope

This programme applies to:

  • Tirro's publicly accessible web applications
  • APIs and services operated by Tirro
  • Any other systems explicitly owned and operated by Tirro

Out of Scope

The following are generally considered out of scope:

  • Denial of Service (DoS/DDoS) testing
  • Social engineering (e.g., phishing, pretexting)
  • Physical attacks against offices or infrastructure
  • Spam or content-related issues
  • Issues requiring access to another user's account without proof
  • Automated or low-quality bulk submissions without clear impact

Guidelines for Researchers

We ask that you:

  • Act in good faith and avoid privacy violations, data destruction, or service disruption
  • Do not access, modify, or delete data that does not belong to you
  • Only test against accounts and data you own or have explicit permission to use
  • Avoid any activity that could negatively impact Tirro's users or services
  • Provide us a reasonable opportunity to investigate and resolve the issue before public disclosure

Safe Harbour

Tirro will not pursue legal action against researchers who:

  • Act in good faith
  • Follow this policy
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate their existence

Rewards

Tirro does not currently operate a formal monetary bug bounty programme.

However, we may, at our discretion:

  • Acknowledge valid reports
  • Offer non-monetary recognition

Our Commitment

  • We will review all legitimate vulnerability reports
  • We will take appropriate action to remediate confirmed issues
  • We will aim to keep reporters informed where appropriate

Legal

This programme does not grant permission to test systems outside the defined scope. Any activity that violates applicable laws or regulations is strictly prohibited.

Thank You

We appreciate the efforts of the security community in helping us maintain a secure platform.