Secure solutions are critical to our users. We have several approaches to establishing and improving a secure environment to ensure you can use TruTrip with confidence.
Your data is securely managed to protect the privacy and interests of your organisation. Our infrastructure is hosted by Amazon Web Services which holds the ISO 27001 and SOC 2 compliance certification. All payments are managed via Stripe which meets the stringent PCI DSS Level 1 standards and payment card data is securely stored in a PCI Level 1 vault by Spreedly. Customer-related data is protected by TrueVault which abides by HIPAA, GDPR and CCPA.
Regular system audit and validation. Our friendly researchers at Cobalt keep us all on our toes with regular and fully independent pentests of our services and our environments.
In today’s cyber threat landscape we know we are only as strong as our weakest access point. That’s why all our sensitive data is not only behind individual credentials with multi-factor authentication, but also requiring access from our Virtual Servers. These protection layers recognise the importance of network and end user-level security.
Real protection understands that it is not always system based - with this in mind we take the extra step to protect you against any misuse through AIG’s CrimeProtector policy.
Recognising the army of good natured independent researchers out there, our Vulnerability Disclosure Programme (VDP) provides a researcher friendly framework to identify and report suspected vulnerabilities of our systems. VDPs help us continually test and improve our security systems and protocols - giving our users faster protection from emerging threats.
TruTrip Vulnerability disclosure programme
Complete our short and easy form to register your Findings(s), share your details and accept our terms. We require you to include Title, Summary, Reproduction Steps and how you see the impact/attack scenario (see terms for more information)
Within 7 working days our team will review your Finding and provide an assessment using a methodology very similar to the Open Web Application Security Project’s framework. The assessment is submitted to you for acceptance or comment*. If you leave a comment, the team will review before making a final Vulnerability Assessment.
On completion of the Vulnerability Assessment, we will send you a payment of the corresponding Reward amount within 7 working days. To be eligible for Rewards, vulnerabilities must be new and you must accept our terms.
Our Vulnerability Disclosure Programme (VDP) is governed by our terms. You must accept these terms in order to submit a Finding.
We do not authorise or permit the taking of any action which may contravene applicable laws and regulations (e.g. Computer Misuse Act). For the avoidance of doubt, attempts to exploit or test suspected vulnerabilities (e.g. gaining unauthorised access to any computer program or data) are prohibited. If in doubt please contact us.
What you will do:
You will NOT
One of our qualified team members will assess the Finding using a methodology based on OWASP’s Risk Rating Methodology. These findings shall be shared with you for either your acceptance or comment. If you accept then we’ll move on to payment.
If you make comments on the assessment, the assessment and comments shall be reviewed by a different team member for final assessment. Upon completion of a final assessment we shall also proceed to payment.
TruTrip have the right to determine severity classifications, report validity, duplications, exclusions, and out-of-scope bugs in its sole discretion.
We shall pay out rewards based on the following criteria
Rates as of 1st August 2021. TruTrip reserves the right to decrease or increase any Rate based on our own assessment of impact. Prior Rates are not precedent for future payments.
Payment is typically made within 14 days of submitting a finding. We currently make payments via the Wise payment infrastructure, typically this will go directly into your bank account or Wise account if you have one, and we cover any associate fees. If you require payment outside of the Wise infrastructure, we will deduct any associated fees from your reward.
We will not issue Rewards for
If you have any other queries relating to our Vulnerability Disclosure Programme, please contact us and we will endeavour to help.
Upload a file Maximum size: 7MB.Allowed file types: .pdf, .txt, .csv, .doc, .docx.
By clicking on Submit, you accept our terms and conditions
Copyright © 2023 TruTrip. All rights reserved