Responsible Disclosure

When vulnerability fixes are ready, they’re pushed to our platforms via our regular patching cycle.

Overview

Trintech takes cybersecurity very seriously. If you discover a vulnerability in our systems, products, or network infrastructure, we appreciate your help in disclosing it to us in a responsible manner. We do not condone any attempts to actively audit our infrastructure without prior authorization through our Security Testing Addendum. However, we recognize that vulnerabilities are occasionally discovered incidentally. The content below describes best practice for submitting this vulnerability information.

Scope

Please note: Trintech does not condone any attempts to actively audit our infrastructure. For a planned security test (application or network penetration test, vulnerability scan, etc.) please reference your signed Security Testing Addendum. For more information, please contact your Trintech Customer Success Representative.

This document applies to technical vulnerabilities on Trintech-owned products, services, and systems. When reporting vulnerabilities, please consider both the attack scenario or exploitability, and the security impact of the bug. The domains below are examples of our assets:

*.trintech.com
*.adra.com

Out of Scope

  • Domains/subdomains outside the approved testing scope.
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack related vulnerabilities.
  • Vulnerabilities discovered through automated tools or scans.
  • Vulnerabilities requiring physical access to a user’s computer or device.
  • Vulnerabilities in Trintech partner sites.
  • Spam or social engineering techniques.
  • Physical attacks against Trintech offices or data centers.

Guidelines

Please follow the guidelines below when disclosing vulnerabilities.

  • Report any potential security issue as soon as possible. Trintech will make every effort to quickly validate and resolve the issue.
  • Provide sufficient detail to reproduce the vulnerability, including proof of concept.
  • Please do not disclose an issue to the public or a third party until Trintech has resolved the item.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or accounts for which you have the explicit written permission of the account holder.
  • Redact any language or images that may identify the program or Trintech customers from information about a fixed vulnerability.
  • Do not engage in disruptive testing or any action that could impact the confidentiality, integrity, or availability of information and systems.
  • Do not engage in social engineering or phishing of customers or employees.
  • Please do not request compensation for time and materials or discovered vulnerabilities through the Responsible Disclosure Program.

Vulnerability submissions

To report a vulnerability, please submit a report (including a proof of concept) via email to disclosure@trintech.com. Trintech will attempt to review and respond to your report within 5 business days of submission.

Thank you for helping keep Trintech and our users safe!