T. TRIETMENT
Sign in

Responsible disclosure

If you found something, tell us.

We do this work for a living. We expect to get caught now and then, and we would rather hear it from you than read it elsewhere. This page explains how to reach us and what we will do once you have.

How to reach us

One channel. Encrypted, if you prefer.

Email info@trietment.com with as much detail as you can spare: a clear description, the affected URL or asset, reproduction steps, and any proof-of-concept you used. If a screenshot helps, attach it. If you have a PGP key and want one of ours, ask in the first message.

Please do not file public issues, post on social media, or use the contact form for vulnerability reports.

  • Affected asset (URL, hostname, repository)
  • Vulnerability class & impact
  • Reproduction steps
  • Proof-of-concept, if any
  • Your preferred name for credit, or a request to remain anonymous
What you can expect

Acknowledgement within three working days

A real person will reply. If we need more information, we will ask. If we believe the report falls outside scope, we will say so and explain why.

Triage within ten working days

We confirm the issue, agree on severity with you, and share the remediation timeline we are working to. You will hear from us at milestones, not just at the end.

Coordinated disclosure

Once a fix is shipped, we are happy to coordinate public disclosure with you on a timeline that respects affected users. Ninety days is our default, sooner where appropriate, longer where necessary.

Credit, if you want it

We will name you in our acknowledgements with your permission. If you prefer to remain anonymous, that is the default we will keep.

Safe harbour

Research in good faith is welcome.

We will not pursue legal action against researchers who act in good faith, follow the rules below, and give us a reasonable opportunity to fix the issue before public disclosure. If a third party brings a claim against you for activity carried out in line with this policy, we will make our position public.

In scope
  • trietment.com and its subdomains
  • Source code under our published repositories
  • Email and DNS configuration we operate
Out of scope

Some classes of report are not useful to us. Please refrain from the following — they are out of scope and we cannot reward or acknowledge them.

  • Denial-of-service, volumetric or stress testing
  • Social engineering of staff, clients or partners
  • Physical attacks against our offices or hardware
  • Automated scanner output without a verified, exploitable finding
  • Missing security headers without demonstrable impact
  • Reports that require access to a victim's device or account
  • Spam, content injection or open-redirects without security impact
  • Findings against client environments — please contact the client

This policy is published per RFC 9116. The machine-readable version lives at /.well-known/security.txt.