Responsible Disclosure Policy

Scope

The following assets are in scope:

• tirugo.ch (website)
• portal.tirugo.ch (customer portal, once live)
• api.tirugo.ch (API endpoints)
• All subdomains of tirugo.ch

Out of scope:

• Attacks on Tirugo's physical infrastructure
• Social engineering against Tirugo staff
• Denial-of-service attacks (including for testing)
• Third-party services (Cloudflare, Hetzner, Resend, etc.)

Your commitments

When reporting a vulnerability we ask you to:

• Not exploit vulnerabilities beyond what is necessary to demonstrate the issue.
• Not exfiltrate, modify, or delete third-party data.
• Give us reasonable time to fix the issue (usually 90 days) before you disclose it publicly.
• Keep the vulnerability confidential until it is fixed.

Our commitments

We commit to:

• Send an acknowledgement within 5 business days.
• Provide an initial assessment within 15 business days.
• Keep you updated on remediation progress.
• Not take legal action against individuals acting in good faith and within this policy.
• Recognise your contribution in our Security Acknowledgments on request (or keep it anonymous).

Bug bounty

Tirugo does not currently operate a public bug-bounty programme. In selected cases we acknowledge outstanding reports individually (vouchers, credits, invitations to private beta programmes). Monetary rewards are not guaranteed.

How to report

Send an email – preferably encrypted – to: security@tirugo.ch

PGP key fingerprint: available on request.

Please include:

• Affected URL / component
• Type of vulnerability (e.g. XSS, SQLi, IDOR, auth bypass)
• Steps to reproduce
• Impact and possible attack vectors
• Optional: remediation suggestion
• Your contact details (for follow-up and acknowledgement)

Machine-readable

Security contact per RFC 9116: /.well-known/security.txt