TruNorthe Responsible Disclosure Policy

Purpose

TruNorthe is committed to protecting the privacy and security of our users, systems, and data. This policy outlines how security researchers, ethical hackers, and members of the public canresponsibly report vulnerabilities in our systems, in accordance with California law and industrybest practices.

Reporting a Vulnerability

If you discover a security vulnerability, we encourage you to report it to us promptly andresponsibly.
Please email your findings to security@trunorthe.com with the subject line: Vulnerability Disclosure.

Include the following in your report:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and affected systems
  • Any relevant screenshots, logs, or proof-of-concept code
  • Your contact information (optional)

We Ask That You

  • Avoid accessing, modifying, or deleting data that does not belong to you
  • Do not perform denial-of-service attacks or actions that degrade system performance
  • Do not publicly disclose the vulnerability until we have resolved it

Our Commitment To You

Upon receiving your report, TruNorthe will:

  • Acknowledge receipt within
  • 5 business days
  • Investigate the issue and provide status updates
  • Work to resolve verified vulnerabilities in a timely manner
  • Credit you publicly (if desired) once the issue is resolved

Safe Harbor

This policy is intended to align with the principles of responsible disclosure and safe harborprotections. If your actions are consistent with this policy and conducted in good faith, weconsider them authorized and will not initiate legal action.

We do not pursue legal action against individuals who report vulnerabilities in good faithand comply with this policy. This includes protections under California law for good-faithsecurity research (Cal. Penal Code § 502 and related statutes).

Vulnerability Handling & Disclosure

TruNorthe investigates all reported vulnerabilities promptly and thoroughly. If a vulnerabilityposes a risk to user data or system integrity, we prioritize remediation and may notify affectedparties in accordance with applicable laws.

TruNorthe does not share unresolved vulnerabilities publicly and will only disclose technicaldetails once remediation is complete and risk is mitigated.

Partner Responsibilities

TruNorthe maintains legal and contractual obligations to its business partners. In the event avulnerability affects partner systems or data — and does not result in the compromise ofcustomer or employee information — TruNorthe will report the issue directly to the partner and will not publicly disclose the vulnerability unless authorized.

Privacy and Compliance

If a vulnerability involves personal information as defined under the California Privacy Rights Act(CPRA), TruNorthe will assess the risk, notify affected individuals as required by Cal. Civ. Code §1798.82, and take appropriate remediation steps.

Policy Updates

We may update this policy from time to time. The latest version will always be available via TruNorthe.com