trustyourinbox

Security · Responsible disclosure

Found a bug?
Tell us first.

We are a small team building security software, so we take ours seriously. If you find a vulnerability, report it privately and we will fix it fast, credit you, and reward genuine findings.

Report a vulnerability

Rewards

Rewards are discretionary. We pay cash for valid, previously unreported vulnerabilities, scaled to the severity of the issue, how novel it is, and the quality of your report. A clean writeup with a working proof of concept is worth more than a vague one.

The highest payouts go to anything that crosses a tenant boundary or escalates privilege, because multi-tenant isolation is the line we care about most. Every accepted report also earns a place in our hall of fame and a thank-you, if you would like the credit.

We are a young company. We would rather be honest that the program is discretionary than publish a tier table we cannot stand behind. As we grow, this page grows with us.

Scope

In scope

These properties:

  • trustyourinbox.comMarketing site and free tools
  • app.trustyourinbox.comThe authenticated dashboard
  • mcp.trustyourinbox.comThe MCP server and its token auth
  • Our public API routesAnything under /api on the above hosts

Issue classes we want:

  • Cross-tenant data access (reading or writing another workspace's data)
  • Authentication or session bypass, privilege escalation to staff or operator
  • Remote code execution, SQL injection, SSRF
  • Stored or reflected XSS, CSRF on state-changing actions
  • Insecure direct object references (IDOR) and broken access control
  • Exposed secrets, tokens, or credentials

Out of scope

Please do not report these. They will be closed as out of scope:

  • Denial of service, volumetric, or load-generating attacks of any kind
  • Social engineering or phishing of our team, customers, or vendors
  • Physical attacks, or anything targeting our offices, staff, or investors
  • Reports from automated scanners with no working proof of concept
  • Missing security headers or best-practice findings with no demonstrated impact
  • Rate limits on the public tools (10 checks per IP per hour is intentional)
  • Email spoofing of domains we monitor (detecting that is the product, not a bug)
  • Self-XSS, clickjacking on pages with no sensitive action, or login/logout CSRF
  • Vulnerabilities in third-party vendors (report those to Cloudflare, Clerk, Stripe, or Neon directly)

Rules of engagement

  1. Act in good faith. Do not access, modify, or delete data that is not yours.
  2. Test against your own account, workspace, and domains. Never pivot into another tenant.
  3. Stop and report as soon as you have proof of concept. Do not exfiltrate data beyond what is needed to demonstrate the issue.
  4. Do not degrade service. No high-volume automated testing against production.
  5. Give us reasonable time to fix before any public disclosure (90 days is the norm).
  6. One vulnerability per report, unless you need to chain issues to show impact.

Safe harbor

If you make a good-faith effort to follow this policy during your research, we will consider it authorized. We will not pursue or support legal action against you for accidental, good-faith violations.

If a third party brings legal action against you for research that complied with this policy, we will make it known that your actions were authorized.

This policy works alongside our Acceptable Use Policy. The narrow research exception here overrides the AUP’s general ban on probing for vulnerabilities, as long as you stay within scope and the rules above.

How to report

Email security@trustyourinbox.com. There is no form to fill out. A good report includes:

  • A clear description of the issue and its impact.
  • Step-by-step instructions to reproduce it, with a working proof of concept.
  • The affected URL, API call, or screenshot.
  • Your name or handle, if you would like credit.

What to expect

We acknowledge every report within 2 business days, usually same day. We will confirm the issue, agree on a severity with you, and keep you posted through the fix. Once it is patched and any reward is settled, you are clear to disclose.

Hall of fame

We credit every researcher who responsibly discloses a valid issue. The list is empty for now. Be the first name on it.

Report a vulnerability

See also our security posture.