Responsible disclosure program
Trouve Tes Clients welcomes security researchers who help us protect our users and their data. This page describes our commitments, the scope, and how to report.
Last updated: May 11, 2026
Our commitment (safe harbor)
As long as you respect this policy, we commit not to pursue legal action against good-faith researchers who stay within scope, to treat your report confidentially, and to credit you publicly if you wish.
Scope
In scope
- app.trouvetesclients.com — main application
- trouvetesclients.com — marketing site
- Trouve Tes Clients Chrome extension (upcoming)
- Public API endpoints (/api/v1/*)
Out of scope
- Volumetric DoS (flood, amplification, mass auth brute-force)
- Social engineering against employees, contractors or users
- Physical attacks on offices or hardware
- Third-party vulnerabilities (Stripe, Supabase, Clerk, Hetzner, Cloudflare) — report to the relevant vendor
How to report
Send your report by email to:
Security email : security@trouvetesclients.com
PGP key available on request at the same address (fingerprint to be published).
We acknowledge within 48 business hours (Monday–Friday, French public holidays excluded).
What to include
- Clear description of the vulnerability
- Affected components (URL, endpoint, parameter)
- Reproducible step-by-step instructions
- Estimated impact and evidence (screenshots, minimal PoC)
Process
Acknowledgement
Within 48 business hours — confirmation and request for clarification if needed.
Triage
Within 5 business days — impact assessment, severity assignment, internal ticket opened.
Fix
Target timelines: Critical 24–72 h, High 7 days, Medium 30 days, Low 90 days.
Coordinated disclosure
Joint publication (advisory, changelog) on an agreed timeline, typically 90 days after the fix.
Rewards
No monetary bug bounty at this stage. In return: public thanks on this page, nominative mention in the changelog of the patched version, reference letter signed by management, and goodies on request. A paid program is under consideration for 2026–2027.
Security acknowledgements
Be the first to appear here.
Frequently asked questions
- Is my report eligible if I already sent it through another channel?
- Yes, as long as you mention it and the original report is less than 30 days old.
- Can I test on production?
- Yes, as long as you use your own test accounts and follow the rules of engagement. Please avoid peak hours (9–11 AM CET) to limit operational impact.
- What if I accidentally access third-party data?
- Stop immediately, store nothing, and disclose it in your report. This does not void the safe harbor.
- How long before I can publish?
- By default, 90 days after the fix is deployed, or immediately if you require it and the fix is confirmed.
- Is there a financial reward?
- Not at the moment. We offer public credit, a reference letter and goodies. A paid program is on the roadmap for 2026–2027.