Vulnerability Disclosure Policy
Coordinated disclosure terms, response SLAs and safe-harbor commitment for security researchers reporting issues to TurboFinOps.
How to report
Email security@turbofinops.com with a clear reproduction, observed impact and any suggested mitigations. PGP encryption is available on request.
Please include: affected URL or endpoint, browser or tooling used, request and response samples, severity assessment and the date discovered. Screenshots and short video captures help triage significantly.
A machine-readable contact is published at /.well-known/security.txt per RFC 9116.
Response targets
| Phase | Target | Notes |
|---|---|---|
| Acknowledgement | ≤ 3 business days | You will receive a human reply confirming receipt and a tracking reference. |
| Initial triage | ≤ 10 business days | Severity assessment, reproduction status and next-step plan communicated to the reporter. |
| Remediation target — Critical | ≤ 30 days | Vulnerabilities that allow tenant breach, credential theft or remote code execution. |
| Remediation target — High | ≤ 60 days | Significant impact without immediate tenant breach (e.g. privilege escalation in limited paths). |
| Remediation target — Medium/Low | ≤ 90 days | Defense-in-depth, hardening and informational findings. |
| Public coordination | On request | Coordinated disclosure timeline agreed with the reporter; default embargo 90 days. |
Targets are aspirational service commitments, not contractual SLAs. Complex issues requiring vendor coordination or schema migration may extend the remediation window; reporters will be kept informed.
In scope
- turbofinops.com and all *.turbofinops.com subdomains under our control.
- TurboFinOps platform API and authenticated dashboard endpoints.
- Authentication, RBAC and multi-tenant isolation controls.
- Encryption of cloud credentials and AI provider keys at rest.
- Server-side request handling, SSRF, IDOR, injection and access control flaws.
Out of scope
- Denial-of-service, volumetric or stress testing against production.
- Social engineering, phishing or physical attacks against employees or contractors.
- Issues affecting only outdated browsers, end-of-life software, or third-party services we do not control.
- Reports requiring physical access or compromised end-user devices.
- Self-XSS, missing best-practice headers without demonstrated impact, or theoretical issues without proof of concept.
- Findings in third-party subprocessors — report those directly to the relevant provider (see /subprocessors).
Safe-harbor commitment
TurboFinOps will not pursue legal action against researchers who report vulnerabilities in good faith and follow the guidelines below. We will work with you to understand and resolve the issue quickly.
- Make a good-faith effort to avoid privacy violations, destruction of data or interruption of service.
- Only interact with accounts you own or have explicit written permission from the account holder.
- Do not exfiltrate data beyond the minimum required to demonstrate the vulnerability.
- Do not publicly disclose the vulnerability before we have completed remediation, unless coordinated.
- Stop testing and report immediately if you encounter sensitive customer data.
What we ask you not to do
Do not run automated scanners that generate large amounts of traffic, do not attempt to access, modify or delete data belonging to other customers, and do not publicly post proof of concept material before remediation. If you discover personal data during testing, stop immediately and report.
Researcher acknowledgments
We publicly thank researchers who report verified vulnerabilities and consent to be named. A formal bug-bounty program is not yet active; once SOC 2 readiness is complete we plan to evaluate a managed program with a third party. Until then, recognition is provided via this page and on request via written reference.
Related
Find recoverable spend before the next invoice lands.
Connect one AWS, Azure or GCP scope, approve the safest savings actions, and give finance a receipt when the savings verify.