How to report
Email
hello@trusq.io with enough detail to reproduce the issue — affected URL or endpoint, steps, and impact. Our
security.txt lists the same contact. Please report in English or Dutch.
Scope
Trusq’s own surfaces: trusq.io and app.trusq.io. Out of scope: our third-party sub-processors (Hetzner, Mistral, Scaleway) — report issues in their platforms to them directly — and findings with no realistic security impact (e.g. missing best-practice headers without a demonstrable exploit, rate-limiting opinions, or automated-scanner output without a working proof of concept).
Good-faith testing
Please act in good faith: test only against your own account or accounts you’re authorised to use; do not access, modify or delete other users’ data; do not run denial-of-service, spam or social-engineering attacks; and stop as soon as you’ve demonstrated a vulnerability. Give us a reasonable chance to fix an issue before disclosing it publicly. Testing that respects this guidance is welcome and we won’t pursue action over it.
No bug-bounty programme
Trusq does not currently run a paid bug-bounty programme, and we can’t promise a monetary reward. We genuinely appreciate responsible reports and are happy to credit you (with your permission) once an issue is resolved.
What to expect
We’re a small team and read every report. We aim to acknowledge a valid report within a few business days and to keep you informed as we work on it. These are intentions, not a contractual SLA — we’d rather set a realistic expectation than an inflated one.
← Back to trust & data