Our promise
We acknowledge your report within two business days, keep you informed of progress, credit you in our security hall of fame if you wish, and never pursue legal action for good-faith security research conducted under this policy.
Scope
In scope: the production TrackProject web application (track-project.com and *.track-project.com), mobile clients, public APIs and Customer-facing infrastructure. Out of scope: third-party services we depend on, social-engineering attacks against employees or Customers, physical attacks, denial-of-service and any finding that requires a privileged Customer account the researcher does not own.
How to report
Email security@track-project.com with a clear reproduction, affected URL, expected vs actual behaviour and any proof-of-concept artefacts. Encrypt sensitive reports with our PGP key (fingerprint published on request).
Response timeline
Acknowledgement within 2 business days. Triage within 5 business days. Remediation depends on severity — critical issues are patched as quickly as safely possible, typically within 7 days; high within 30 days; medium within 90 days. We will keep reporters updated throughout.
Rewards & recognition
We currently operate a recognition-based programme: validated reports earn a credit in our security hall of fame and TrackProject merchandise. A monetary bug-bounty programme is on the roadmap.
Safe harbour
We will not bring legal action against researchers who stay within scope, avoid privacy violations and service disruption, give us reasonable opportunity to remediate, and act in good faith. We consider this policy a public authorisation under applicable computer-misuse statutes.