Skip to content
Legal

Responsible Disclosure

Effective date: April 1, 2026. We welcome reports from the security community.

Scope

This policy applies to https://twcsoftware.com and any subdomains we operate. Third-party services are out of scope; please report issues affecting them directly to those vendors.

How to report

Please email security@twcsoftware.com with a detailed description, steps to reproduce, and any supporting evidence. PGP keys are available on request.

Our commitments

When you report a vulnerability in good faith, we commit to:

  • Acknowledge receipt within two business days.
  • Provide an initial assessment within five business days.
  • Keep you informed of remediation progress.
  • Credit you (if you wish) once the issue is resolved.

Out of scope

The following are generally out of scope unless they demonstrate concrete impact:

  • Reports based solely on automated scanner output.
  • Self-XSS, clickjacking on non-sensitive pages, or missing HTTP headers without exploitability.
  • Denial-of-service or social engineering attacks.
  • Issues requiring physical access to a user's device.

Safe harbor

We will not pursue legal action against researchers who follow this policy, act in good faith, and avoid privacy violations, service disruption, or destruction of data.