Vulnerability Disclosure Policy

Last updated: March 3, 2026

1. Introduction

Tereda Software LLC ("Tereda Labs," "we," "us," or "our") values the security community and believes that responsible disclosure of security vulnerabilities helps ensure the safety and privacy of all users. This Vulnerability Disclosure Policy (VDP) describes how to report security vulnerabilities in Tereda Labs systems and what you can expect from us.

This policy is aligned with ISO 29147 (Vulnerability Disclosure) and ISO 30111 (Vulnerability Handling), and informed by NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide).

Having a VDP signals organizational maturity. Per the Federal Contractor Cybersecurity Vulnerability Reduction Act (H.R. 872), vulnerability disclosure policies will be required for federal contracts above $250K. Tereda Labs maintains this policy proactively as part of our commitment to security transparency and federal compliance readiness.

2. Scope

This policy applies to the following assets owned and operated by Tereda Labs:

  • teredalabs.com and its subdomains
  • Any software products or platforms developed and operated by Tereda Labs
  • APIs and web services operated by Tereda Labs

Out of scope:

  • Third-party services hosted by other providers (e.g., Cloudflare, Google)
  • Physical facilities, social engineering, or phishing of Tereda Labs employees
  • Denial of service testing
  • Findings from automated scanning without manual validation

3. How to Report

Submit vulnerability reports to: security@teredalabs.com

Encrypted communication via PGP is available upon request. Contact us at the address above to obtain our public key.

Your report should include:

  • Description of the vulnerability
  • Steps to reproduce
  • Affected system or URL
  • Impact assessment
  • Your contact information (optional, but helpful for follow-up)

Reports should contain enough detail for us to reproduce and validate the issue. The more information you provide, the faster we can triage and respond.

4. Response Timeline

We are committed to responding promptly and transparently to all valid vulnerability reports. The following timelines represent our targets from the date of receipt:

  • Acknowledgment — Within 48 hours of receipt.
  • Triage — Within 5 business days we will provide an initial assessment of severity and validity.

Remediation timelines based on severity:

  • Critical — 7 days
  • High — 30 days
  • Medium — 60 days
  • Low — 90 days

Disclosure — We support coordinated disclosure. We will work with reporters on timing and credit. We ask that reporters refrain from publicly disclosing vulnerability details until we have had a reasonable opportunity to remediate the issue.

5. Safe Harbor

Tereda Labs supports good faith security research. Researchers who follow this policy:

  • Will not face legal action from Tereda Labs for their research activities.
  • Will not be reported to law enforcement for their research activities.
  • Will be treated as authorized if they comply with this policy.

We consider security research conducted consistent with this policy to be authorized, and we will not pursue civil or criminal action against researchers acting in good faith.

If legal action is initiated by a third party against a researcher for activities that were conducted in compliance with this policy, Tereda Labs will take steps to make it known that the researcher's actions were conducted in accordance with this policy.

6. Researcher Guidelines

To qualify for safe harbor protections, researchers must adhere to the following guidelines:

  • Make a good faith effort to avoid privacy violations, data destruction, and service disruption.
  • Only interact with accounts you own or with explicit permission.
  • Do not exfiltrate data beyond what is necessary to demonstrate the vulnerability.
  • Do not modify or delete data in systems you do not own.
  • Do not use findings for purposes other than responsible disclosure.
  • Stop testing and report immediately if you access user data.

7. Recognition

We believe in recognizing security researchers who help improve our security posture. With researcher consent, we will:

  • Acknowledge the researcher in our security advisory, if applicable.
  • Provide a letter of acknowledgment suitable for professional use.

We do not currently operate a paid bug bounty program, but we value and appreciate all good-faith reports.

8. Legal

This policy is not a license for unauthorized access to systems not owned by Tereda Labs.

This policy does not waive any rights that Tereda Labs may have against malicious actors.

Reports made in bad faith or that violate the researcher guidelines described in Section 6 are not protected by the safe harbor provisions described in Section 5.

9. Contact

Security reports: security@teredalabs.com
Legal questions: legal@teredalabs.com

Tereda Software LLC
Connecticut, USA