TitanFile Vulnerability Disclosure Policy

Introduction

At TitanFile, the security and privacy of our users’ data is our top priority. We value the contributions made by the security research community in identifying potential vulnerabilities. If you believe you have found a security vulnerability in our system, we encourage you to report it responsibly, in accordance with the guidelines outlined in this policy.

Scope

In scope:

• TitanFile Web Application: https://app.titanfile.com.

Out-of-scope:

• Vulnerabilities in third-party services that are not under TitanFile’s direct control.

• Issues related to social engineering attacks or denial of service attacks.

• Non-technical vulnerabilities such as feedback issues or usability concerns.

Reporting Guidelines

To ensure responsible disclosure, please follow these guidelines when submitting a vulnerability report:

• Submit via our bug bounty platform: https://www.openbugbounty.org/bugbounty/Titanfile/

• Do not exploit the vulnerability: Avoid testing vulnerabilities on live user data or causing disruption to our services.

• Provide a detailed report: Include details of the vulnerability, steps to reproduce, the potential impact, and any suggestions for remediation.

• Respect user privacy: Do not access or attempt to access any user data other than your own.

Safe Harbor

We will not pursue legal action against individuals who:

• Adhere to the guidelines of this policy.

• Do not exploit the vulnerability for personal gain.

• Make a good-faith effort to avoid disrupting services or harming data.

TitanFile reserves the right to refer cases to law enforcement in instances where actions fall outside the boundaries of good-faith research.

Response Targets

• Initial Response: We will acknowledge receipt of your report within 5 business days.

• Triage: We aim to provide feedback or request further information within 10 business days.

• Resolution: We will work to resolve confirmed vulnerabilities as quickly as possible and keep you updated on our progress.

Incentives

Our bug bounty program offers rewards based on the severity and impact of valid vulnerabilities. The reward tiers are determined by the criticality of the issue, following these general guidelines:

• Low severity: Not eligible for bounties

• Moderate severity: CAD 150

• Critical severity: CAD 200

The severity is determined solely based on TitanFile’s discretion.

Payout Process

Once a vulnerability has been validated and accepted, the payout process will be initiated:

• Payment Approval: Upon successful validation, the security team will approve the reward amount based on the severity and impact.

• Finance Processing: The TitanFile finance team will handle the payout process. Researchers will be contacted to provide the necessary payment information.

• Timeline: Payments are generally processed within 30 days of approval, depending on the availability of payment details and processing times.

Eligibility Criteria

For a vulnerability report to be eligible for a reward, it must:

• Be a previously unknown issue within the TitanFile web application.

• Be submitted in accordance with this policy.

• Demonstrate a valid security impact or risk.

Out-of-Scope Vulnerabilities

The following are generally not considered eligible for rewards:

• Issues related to social engineering, phishing, or physical security.

• Denial of Service (DoS) attacks or other forms of service disruption.

•  Vulnerabilities found in third-party applications or products.

Program Terms

By participating in the TitanFile bug bounty program, you agree to the following:

• You will not publicly share any details about the vulnerability or your participation in the program without our prior approval.

• You will comply with all applicable laws and TitanFile’s terms of service, and refrain from accessing or modifying data that does not belong to you.