Found a bug? We want to hear from you.

How our recognition program works

Most "bug bounty" programs reward researchers with cash. We do something different: legitimate findings earn a public, verifiable TrueCert Security Researcher credential, similar in structure to the assessment certificates we issue across the platform. The credential is Open Badges 2.0 compliant, can be linked from LinkedIn or your CV, and includes a public verification URL employers can check.

The goal is to reward serious researchers with portable, real credibility, not a one-time cash payout. For junior security researchers building a portfolio toward SOC, AppSec, or pentesting roles, a verified finding at a real production company is genuinely more useful than $50.

Recognition tiers

In scope

We accept reports on exploitable issues that affect the security or integrity of TrueCert services. Common categories we acknowledge:

• Authentication and session bypass
• Authorisation flaws (IDOR, privilege escalation, cross-tenant access)
• Server-side injection (SQL, command, template, XXE)
• Stored or reflected XSS that affects other users
• Server-side request forgery (SSRF)
• Remote code execution
• Significant business logic flaws (e.g. payment bypass, certificate forgery)
• Sensitive data exposure (PII, payment data, authentication secrets)
• Vulnerabilities in our verification system that allow forged credentials

Out of scope

We do not acknowledge or accept reports on:

• Missing HTTP security headers without a demonstrated exploit (CSP, HSTS, X-Frame-Options, etc.)
• Banner grabbing, version disclosure, framework fingerprinting
• Outdated software or library versions without a working exploitable path
• Self-XSS or issues that require local access to a user's device
• Clickjacking on pages with no sensitive state-changing actions
• Rate-limiting or brute-force findings without proof of impact
• Email spoofing, SPF/DKIM/DMARC misconfigurations on third-party domains
• SSL/TLS configuration findings on Cloudflare or hosting infrastructure
• Issues on third-party services we don't operate (Stripe, Cloudflare, Resend, etc.)
• Automated scanner output without a written proof-of-concept
• Denial-of-service attacks, load testing, or anything that degrades service for other users
• Social engineering of TrueCert staff or users
• Physical attacks against TrueCert infrastructure

How to report

Send a detailed report to [email protected] including:

• A clear description of the vulnerability and its impact
• Step-by-step reproduction instructions
• A working proof-of-concept (screenshots, request/response, or short video)
• The URL(s) or endpoint(s) affected
• Any preferred display name or handle for public acknowledgment (or "anonymous" if you'd rather not be listed)

We aim to acknowledge initial reports within 10 business days. Verified findings are added to the public researcher list within 10 business days of remediation.

Rules of engagement

By submitting a report, you agree to:

• Test only against your own account and clearly-test data
• Not access, modify, or destroy data that doesn't belong to you
• Not run automated scanners that generate excessive traffic
• Not publicly disclose the vulnerability until we've remediated it
• Not extort, threaten, or demand payment in exchange for disclosure

Good-faith research under these rules will not result in legal action from TrueCert. Reports that violate these rules (especially extortion attempts) will be ignored, blocked, and where appropriate reported to the relevant authorities.

Frequently asked questions