At Trojans (also known as Trosol), your trust is our top priority. We are committed to delivering secure, innovative solutions while safeguarding the data, privacy, and digital assets of our clients, partners, and users. This Vulnerability Disclosure Policy (VDP) invites responsible security researchers and ethical hackers to identify and report security vulnerabilities in a lawful, constructive, and transparent manner.

We believe in collaboration and transparency as vital pillars of a robust cybersecurity framework.

✅ Purpose of the Policy

This policy aims to:

• Encourage responsible vulnerability reporting.
• Outline the scope and procedures for submitting potential vulnerabilities.
• Ensure legal protection for ethical hackers acting in good faith.
• Strengthen our cybersecurity posture through community collaboration.

🔍 Scope of the Vulnerability Disclosure Policy

The VDP covers all public-facing digital assets owned or operated by Trojans, including:

• Official websites: www.trosol.com and all subdomains
• APIs, public endpoints, and SaaS platforms
• Mobile and web-based applications
• Public-facing infrastructure and cloud-hosted systems
• Custom software and tools developed by Trojans

❌ Out-of-Scope Areas:

• Physical infrastructure or social engineering
• Denial-of-Service (DoS/DDoS) testing
• Automated scanning tools causing service degradation
• Phishing attacks or employee impersonation
• Attacks requiring social manipulation or insider access

🧭 Guidelines for Responsible Disclosure

We ask all researchers to:

• Report findings privately and avoid public disclosure until resolved.
• Avoid data exfiltration or exploitation during testing.
• Respect user privacy and confidentiality.
• Submit vulnerabilities with reproducible steps and impact assessments.
• Refrain from disrupting services or accessing non-consensual data.

Following these principles ensures mutual trust and accelerates resolution.

📨 Vulnerability Submission Process

To report a security issue, follow these steps:

📤 Submit to:

📧 Email: [email protected]

📋 Include:

• Reporter’s name or alias (optional)
• Contact details for follow-up
• Affected system (URL, endpoint, product version)
• Detailed reproduction steps (screenshots, payloads, PoC)
• Impact summary and risk level
• Suggested remediation (if applicable)

Optional: Encrypted reports via PGP (available upon request).

📬 What to Expect from Trojans

We commit to:

• Acknowledging your report within 5 business days
• Providing regular status updates
• Remediating valid vulnerabilities typically within 30–90 days
• Offering recognition, including:
  • Public acknowledgment (with consent)
  • Letter of appreciation
  • Swag or early access opportunities (when available)
  • Inclusion in our future Security Researcher Hall of Fame

While we currently do not offer monetary rewards, our appreciation is sincere, and we’re actively considering future bug bounty programs.

⚖️ Legal Safe Harbor

We respect ethical research and guarantee legal protection if you:

• Comply with this policy and applicable laws
• Perform testing in good faith without harmful impact
• Report vulnerabilities responsibly and confidentially

We will not pursue legal action for responsible disclosure. We consider such research as authorized access under the law.

🔐 Our Security Philosophy

At Trojans, security is not just a compliance checkbox — it's a strategic commitment. We continuously monitor, test, and improve our systems based on:

• Global standards (e.g., NIST, ISO 27001)
• Proactive internal audits
• Transparent communication with researchers
• Alignment with GDPR, FCPA, SOX, and other regulatory frameworks

🛠 Let’s Make the Internet Safer – Together

We welcome all contributions from the global security community. If you believe you’ve discovered a vulnerability, please reach out. Your efforts make the Trojans ecosystem more secure for everyone.

📧 Report to: [email protected]

🔒 PGP Key: Available upon request