We take security issues seriously. If you discover a security vulnerability, please report it responsibly.
- Email: security@trustpin.cloud
- Subject: Include "SECURITY" in the subject line
- Encryption: Use our PGP key if possible (available on our website)
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Status Updates: Weekly until resolved
- Resolution: Depends on severity (critical: 7 days, high: 30 days)
- Allow us reasonable time to fix the issue before public disclosure
- We'll credit you in our security advisories (unless you prefer anonymity)
- We may offer bounties for significant vulnerabilities
When using TrustPin:
- Always use
.strictmode in production - Keep your pinning configurations up to date
- Monitor certificate expiration dates
- Use secure channels for configuration delivery
- Implement proper error handling for pinning failures
This security policy covers:
- TrustPin iOS SDK source code
- Configuration and setup vulnerabilities
- Certificate validation bypasses
- Authentication and authorization issues
- General iOS security issues
- Third-party dependencies (report to respective maintainers)
- Social engineering attacks
- Physical device access scenarios
For security-related questions: security@trustpin.cloud