Click here, and get your free copy of our latest whitepaper

Security

Keeping your information safe

Secure solutions are critical to our users. We have several approaches to establishing and improving a secure environment to ensure you can use TruTrip with confidence.

Secure foundations

Your data is securely managed to protect the privacy and interests of your organisation. Our infrastructure is hosted by Amazon Web Services which holds the ISO 27001 and SOC 2 compliance certification. All payments are managed via Stripe which meets the stringent PCI DSS Level 1 standards and payment card data is securely stored in a PCI Level 1 vault by Spreedly. Customer-related data is protected by TrueVault which abides by HIPAA, GDPR and CCPA.

Independently tested

Regular system audit and validation. Our friendly researchers at Cobalt keep us all on our toes with regular and fully independent pentests of our services and our environments.

Layered protection

In today’s cyber threat landscape we know we are only as strong as our weakest access point. That’s why all our sensitive data is not only behind individual credentials with multi-factor authentication, but also requiring access from our Virtual Servers. These protection layers recognise the importance of network and end user-level security.

Covered for all events

Real protection understands that it is not always system based - with this in mind we take the extra step to protect you against any misuse through AIG’s CrimeProtector policy.

Researchers welcome

Recognising the army of good natured independent researchers out there, our Vulnerability Disclosure Programme (VDP) provides a researcher friendly framework to identify and report suspected vulnerabilities of our systems. VDPs help us continually test and improve our security systems and protocols - giving our users faster protection from emerging threats.

TruTrip Vulnerability disclosure programme

How it works

Submit a Finding

Complete our short and easy form to register your Findings(s), share your details and accept our terms. We require you to include Title, Summary, Reproduction Steps and how you see the impact/attack scenario (see terms for more information)

Finding Assessment

Within 7 working days our team will review your Finding and provide an assessment using a methodology very similar to the Open Web Application Security Project’s framework. The assessment is submitted to you for acceptance or comment*. If you leave a comment, the team will review before making a final Vulnerability Assessment.

Get paid

On completion of the Vulnerability Assessment, we will send you a payment of the corresponding Reward amount within 7 working days. To be eligible for Rewards, vulnerabilities must be new and you must accept our terms.

What else should you know

Our Vulnerability Disclosure Programme (VDP) is governed by our terms. You must accept these terms in order to submit a Finding.

We do not authorise or permit the taking of any action which may contravene applicable laws and regulations (e.g. Computer Misuse Act). For the avoidance of doubt, attempts to exploit or test suspected vulnerabilities (e.g. gaining unauthorised access to any computer program or data) are prohibited. If in doubt please contact us.

Conduct

What you will do:

  1. Act responsibly for the sole purpose of reporting suspected vulnerabilities and safeguarding users from damage, harm or loss.
  2. Avoid causing any kind of damage, harm or loss to individuals or organisations (e.g. you should not attempt to test, reproduce or verify the suspected vulnerability, or take any action which may cause interruption or degradation of any Services).
  3. Conduct yourself in accordance with applicable laws and regulations at all times. If you have any doubt about such laws or regulations, please seek and obtain professional legal advice. Under no circumstances should you attempt to exfiltrate any computer data or publish details of any suspected vulnerability.
  4. Upon detection of a suspected vulnerability, notify us immediately or as soon as practicable by submitting a report. You may encrypt your emails to us using our PGP key.
  5. Provide adequate information in the suspected vulnerability report so that we may work with you on validating the suspected vulnerability.

You will NOT

  1. Act in any way which may contravene applicable laws and regulations (e.g. the Computer Misuse Act).
  2. Publish or publicly disclose any suspected vulnerability to any third party before it is resolved as malicious actors may exploit the suspected vulnerability to cause damage, harm or loss to individuals and organisations.
  3. Deploy destructive, disruptive or other unlawful means to detect vulnerabilities (e.g. attacks on physical security, social engineering, denial of service, brute force attacks).
  4. Exploit, test or otherwise use any suspected vulnerability (e.g. taking any step(s) to access, copy, create, delete, modify, manipulate or download any data or programme, build system backdoor(s), modify system configuration(s), facilitate or share system access)
Evaluation method

One of our qualified team members will assess the Finding using a methodology based on OWASP’s Risk Rating Methodology. These findings shall be shared with you for either your acceptance or comment. If you accept then we’ll move on to payment.

If you make comments on the assessment, the assessment and comments shall be reviewed by a different team member for final assessment. Upon completion of a final assessment we shall also proceed to payment.

TruTrip have the right to determine severity classifications, report validity, duplications, exclusions, and out-of-scope bugs in its sole discretion.

Rewards

We shall pay out rewards based on the following criteria

SGD Likelihood
Low Medium High
Impact High $200 $750 $2,000
Medium $30 $200 $750
Low $0 $30 $200

Rates as of 1st August 2021. TruTrip reserves the right to decrease or increase any Rate based on our own assessment of impact. Prior Rates are not precedent for future payments.

Payment

Payment is typically made within 14 days of submitting a finding. We currently make payments via the Wise payment infrastructure, typically this will go directly into your bank account or Wise account if you have one, and we cover any associate fees. If you require payment outside of the Wise infrastructure, we will deduct any associated fees from your reward.

Exclusions

We will not issue Rewards for

  • Findings already identified. Please see this list for known issues.
  • Findings relating to 3rd-party systems.
  • Findings which enumerate already claimed handles, emails and other such information. This reveals no sensitive information, regardless of whether the associated profiles are public or private.
  • Findings related to Distributed Denial of Service (DDos).
Other questions

If you have any other queries relating to our Vulnerability Disclosure Programme, please contact us and we will endeavour to help.