T R U F F A I R E
← All policies

Security

Security & Responsible Disclosure

Effective date: July 9, 2026

Security is not a feature we add to our systems; it is a property we design them to have. Truffaire builds technology that people and institutions depend on in real conditions, and we treat the protection of that technology — and of the data entrusted to it — as a first-order engineering responsibility.

We also believe that security is strengthened by the community of researchers who probe systems in good faith. This policy explains how we secure our systems and how you can report a vulnerability to us safely and responsibly.

1. Our Approach

We apply defence-in-depth across our web properties and infrastructure. This includes enforced HTTPS with HSTS, a strict Content-Security-Policy, hardened security headers, least-privilege access controls, and the principle of failing closed — when something is uncertain, access is denied rather than granted. Our practices are reviewed and updated as threats and best practices evolve.

2. Reporting a Vulnerability

If you believe you have found a security vulnerability in any Truffaire website or system, we want to hear from you. Please report it to us privately, before any public disclosure, so that we have the opportunity to investigate and remediate.

Our security contact details are published, and kept current, at truffaire.in/.well-known/security.txt.

3. Scope

This policy applies to the Truffaire website at truffaire.in and its associated web properties. Reports concerning third-party services we rely on should, where possible, also be reported to the relevant provider.

4. Safe Harbour

We will not pursue or support legal action against researchers who act in good faith and in accordance with this policy. To qualify, we ask that you:

5. Our Commitment to You

When you report a vulnerability in line with this policy, we commit to acknowledging your report, investigating it promptly, keeping you informed of our progress, and remediating confirmed issues as quickly as is responsible. We are grateful for the work of researchers who help us keep our systems secure, and we are happy to credit you for a valid report where you wish to be named.

6. Out of Scope

The following are generally not considered actionable vulnerabilities: reports from automated scanners without a demonstrated impact, missing best-practice headers that do not lead to a concrete exploit, issues requiring physical access to a user's device, and social-engineering or spam-related reports. We nonetheless welcome any observation made in good faith.

7. Contact

For all security matters, please write to us at:

Truffaire — Security

Bengaluru, Karnataka, India

one@truffaire.in

This policy is governed by the laws of India. It does not grant permission to act in any manner inconsistent with applicable law.