Coordinated vulnerability disclosure

We very much thank you for conducting security research on our products and for disclosing the found vulnerabilities to us. We have a dedicated process for receiving reports to ensure they are handled by our security team smoothly and as quickly as possible.

‍Step 1: Initial Contact

‍Please use our support desk for the initial contact. Simply state your intent that you would like to disclose a security vulnerability to us. You may also include your PGP key so we can reply to you via an encrypted email.
‍IMPORTANT: We kindly ask you to not include any sensitive information, vulnerability details, or proof-of-concept code in this initial contact yet.

‍Step 2: Secure vulnerability disclosure
‍
A member of our security team will respond to you directly as soon as possible. They will provide you with contact details and a way to share the vulnerability report over a secure, encrypted channel. ‍

It is also possible to use PGP encrypted email communication with us from the beginning. Use the contact and PGP keys listed in the security.txt file.

Our PGP keys can be obtained through the security.txt file and they are also published on a public keyserver. You can see the key fingerprints at the bottom of this page.

This channel is also used for reporting active security incidents. If you have a reason to believe a Tropic Square system has been compromised, have discovered a data leak, or are aware of a vulnerability being exploited, please contact us immediately using the same process.

Over the secure channel please describe:

• Product and version which is affected.
• General description of the found vulnerability
• Scope, impact
• Other relevant information (how to reproduce, scripts, logs, used tools, proof of concept code etc.)
• Any plans you may have for public disclosure (e.g., a blog post or conference talk).
• Permission to be listed in the Acknowledgement section (if you give permission include how you would like to be listed)
• Anything else you consider relevant to the report

The preferred language of communication is English.

Products, software and hardware source code and documentation listed on TROPIC01 GitHub page is in scope of this policy.

We actively authorize and encourage good-faith security research on the products and systems listed in scope.

Please be aware that our hardware is often integrated as a component into a third-party end-product. While our policy authorizes research on the Tropic Square hardware itself, it does not supersede the security policy of that end-product's vendor. You are responsible for understanding and adhering to the end-product vendor's disclosure policy when your research involves their systems or products.

Secondary scope of this policy also includes:

• Tropic Square website
• Other Tropic Square development infrastructure
• Other Tropic Square development infrastructure (for third party hosting services we use, please also respect their policy)

Social engineering, spamming, and denial of service are out of scope of this policy.

To ensure the smoothest possible remediation of found vulnerabilities and maintaining highest possible security of our customers, we kindly ask you to:

• Disclose found vulnerabilities securely according to the "How to report a vulnerability" section
• Report any found vulnerabilities to us as soon as possible after their discovery
• Only conduct security research of products and systems that are in the "Scope" section

Tropic Square is fully committed to transparency and believes in the value of public disclosure. We will work with you to ensure your findings are shared with the public and that you receive full credit for your work.

To protect our customers and end-users, we ask that you do not publicly disclose the vulnerability until we have had sufficient time to develop and release a fix.

We will coordinate with you to determine a fair disclosure date. We use a baseline of 90 days as a starting point, as is common practice. However, we also recognize that hardware vulnerabilities can require longer, more complex supply chain coordination. We will be transparent with you about our timeline and will work to find a date that is fair to both you and our users.

The Tropic Square security team commits to take your report seriously and communicate with you during the disclosure process as openly as possible. We will:

• contact you after your initial email as soon as possible (withing 3 business days)
• assess your report to the best of our technical ability and try to find a suitable fix as soon as possible
• provide you with periodic updates and steps we are taking to remediate the disclosed vulnerability
• transparently release the found security vulnerability along with addressing the impact and steps taken to fix the vulnerability at an appropriate time
• publicly thank you for your contribution to the security of our product in the Acknowledgement part (unless you opt-out)

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the security vulnerability quickly, and Tropic Square will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.