1. Preamble
Triage Security is committed to the security and integrity of our platform, products, and the broader digital ecosystem. We recognize that independent security researchers and ethical hackers play an essential role in keeping the internet safe.
The Gold Shield is our formal commitment to protecting good faith security researchers from legal action when they responsibly discover and disclose vulnerabilities in accordance with this policy. This standard is modeled after industry best practices, including the principles established by the U.S. Department of Justice's 2022 CFAA charging policy, and the NIST Coordinated Vulnerability Disclosure framework.
2. Key Definitions
2.1 Good Faith Security Research
Good Faith Security Research means accessing a computer, system, network, or application solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed system belongs, or those who use such devices, machines, or online services.
This definition aligns with the language adopted by the U.S. Department of Justice and reflects the evolving consensus among regulators and industry experts regarding authorized security research.
2.2 Researcher
Any individual or entity conducting Good Faith Security Research under this policy, whether independently or through a coordinated program operated by Triage Security.
2.3 Vulnerability
A weakness in a system, product, application, or service that could be exploited to compromise the confidentiality, integrity, or availability of data or services.
3. The Gold Shield Commitment
Triage Security considers Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We will not initiate or support any legal action against a Researcher for activities conducted in compliance with this policy.
3.1 What We Commit To
Authorization: We consider Good Faith Security Research, as defined above, to be "authorized" conduct. We will not pursue claims against Researchers under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), or equivalent international laws for actions taken under this policy.
Terms of Service Waiver: We waive any relevant restriction in our Terms of Service ("TOS") and/or Acceptable Use Policies ("AUP") that conflicts with the standard for Good Faith Security Research outlined herein.
No Legal Threats: We will not threaten, intimidate, or bring legal action against any Researcher who reports a vulnerability in compliance with this policy, regardless of whether the Researcher participates in a formal bug bounty program.
Law Enforcement Cooperation: If a third party, including law enforcement, initiates legal action against a Researcher for activities conducted in compliance with this policy, we will take reasonable steps to make it known that the Researcher's actions were authorized under the Gold Shield.
Data Breach Differentiation: We will not treat security research conducted under this policy as a reportable data breach. We recognize that Good Faith Security Research is fundamentally different from malicious unauthorized access.
4. Researcher Obligations
To qualify for protection under the Gold Shield, Researchers must adhere to the following guidelines:
4.1 Scope & Authorization
- Test only systems, products, and services that are within the scope designated by Triage Security. Any assets explicitly marked as out-of-scope are not covered by this safe harbor.
- Do not test systems owned or operated by third parties unless those parties have expressly authorized such testing. Triage Security cannot authorize research on third-party infrastructure.
4.2 Responsible Conduct
- Act in good faith to avoid harm to individuals, organizations, and the public.
- Do not exfiltrate, retain, or publicly disclose any data beyond the minimum necessary to demonstrate the vulnerability.
- Do not intentionally degrade or disrupt services, destroy data, or compromise user accounts.
- Do not use social engineering, phishing, or physical attacks against Triage Security employees, contractors, or users.
- Do not conduct denial-of-service (DoS/DDoS) attacks.
4.3 Disclosure Protocol
- Report discovered vulnerabilities promptly through the designated reporting channel at Triage Security.
- Provide sufficient detail for Triage Security to reproduce and validate the vulnerability.
- Allow a reasonable period for Triage Security to remediate the vulnerability before any public disclosure, in coordination with our team.
- Follow any applicable coordinated vulnerability disclosure timelines mutually agreed upon.
5. Third-Party Limitations
Triage Security is unable to authorize security research on third-party infrastructure, and no third party is bound by this safe harbor statement. Researchers are solely responsible for ensuring they have proper authorization before testing any systems not owned or operated by Triage Security.
6. Our Response Commitment
When a vulnerability is reported in compliance with this policy, Triage Security commits to the following:
- Acknowledgment: We will acknowledge receipt of vulnerability reports within 3 business days.
- Triage & Assessment: We will conduct an initial assessment and provide a severity classification within 10 business days.
- Communication: We will maintain open and transparent communication with the Researcher throughout the remediation process.
- Credit & Recognition: With the Researcher's consent, we will publicly credit Researchers who report valid vulnerabilities in our security acknowledgments.
- No Retaliation: We will not retaliate against Researchers for good faith reports, even if the vulnerability cannot be reproduced or is determined to be a non-issue.
7. Exclusions
This safe harbor does not apply to:
- Activities that cause intentional harm to users, customers, or Triage Security systems beyond what is reasonably necessary to demonstrate a vulnerability.
- Research conducted on systems or assets explicitly designated as out-of-scope.
- Actions that violate applicable laws beyond those specifically waived in this policy.
- Sale, trade, or weaponization of discovered vulnerabilities.
- Extortion, threats, or coercive demands tied to vulnerability reports.
- Any testing conducted against third-party systems without express authorization from the system owner.
8. Reporting Vulnerabilities
To report a vulnerability under the Gold Shield, please contact us through the following channels:
- Web: https://triagesecurity.ai
- Email: [email protected]
Please include the following in your report: a detailed description of the vulnerability, steps to reproduce, affected assets or endpoints, potential impact assessment, and any supporting evidence such as screenshots, proof-of-concept code, or logs.
9. Governing Principles
This policy is intended to be compatible with applicable legal frameworks worldwide, including but not limited to the U.S. Computer Fraud and Abuse Act (CFAA) as interpreted under the 2022 DOJ charging policy, the EU Directive on Attacks Against Information Systems, and other relevant national cybersecurity laws.
Triage Security reserves the right to update this policy as laws, regulations, and industry standards evolve. Changes will be communicated through our website and applicable program pages.
10. Acknowledgment & Commitment
By adopting the Gold Shield, Triage Security affirms its commitment to collaboration with the security research community, the protection of good faith researchers, and the continuous improvement of our security posture. We believe that working together transparently, respectfully, and responsibly is the best path to a safer digital world.