Security
Security & Responsible Disclosure
Effective date: July 9, 2026
Security is not a feature we add to our systems; it is a property we design them to have. Truffaire builds technology that people and institutions depend on in real conditions, and we treat the protection of that technology — and of the data entrusted to it — as a first-order engineering responsibility.
We also believe that security is strengthened by the community of researchers who probe systems in good faith. This policy explains how we secure our systems and how you can report a vulnerability to us safely and responsibly.
1. Our Approach
We apply defence-in-depth across our web properties and infrastructure. This includes enforced HTTPS with HSTS, a strict Content-Security-Policy, hardened security headers, least-privilege access controls, and the principle of failing closed — when something is uncertain, access is denied rather than granted. Our practices are reviewed and updated as threats and best practices evolve.
2. Reporting a Vulnerability
If you believe you have found a security vulnerability in any Truffaire website or system, we want to hear from you. Please report it to us privately, before any public disclosure, so that we have the opportunity to investigate and remediate.
- —Email a detailed report to one@truffaire.in. This address is also published in our machine-readable security.txt.
- —Include the affected system or URL, a clear description of the issue, and the steps required to reproduce it.
- —Where relevant, include proof-of-concept material and an assessment of the potential impact.
Our security contact details are published, and kept current, at truffaire.in/.well-known/security.txt.
3. Scope
This policy applies to the Truffaire website at truffaire.in and its associated web properties. Reports concerning third-party services we rely on should, where possible, also be reported to the relevant provider.
4. Safe Harbour
We will not pursue or support legal action against researchers who act in good faith and in accordance with this policy. To qualify, we ask that you:
- —Make a good-faith effort to avoid privacy violations, data destruction, and interruption or degradation of our services.
- —Only interact with accounts you own or have explicit permission to access, and do not access, modify, or delete data belonging to others.
- —Do not use automated tooling that could degrade service, and do not perform denial-of-service testing, social engineering, or physical attacks.
- —Give us a reasonable time to investigate and remediate before disclosing the issue publicly, and do not disclose it to others in the meantime.
5. Our Commitment to You
When you report a vulnerability in line with this policy, we commit to acknowledging your report, investigating it promptly, keeping you informed of our progress, and remediating confirmed issues as quickly as is responsible. We are grateful for the work of researchers who help us keep our systems secure, and we are happy to credit you for a valid report where you wish to be named.
6. Out of Scope
The following are generally not considered actionable vulnerabilities: reports from automated scanners without a demonstrated impact, missing best-practice headers that do not lead to a concrete exploit, issues requiring physical access to a user's device, and social-engineering or spam-related reports. We nonetheless welcome any observation made in good faith.
7. Contact
For all security matters, please write to us at:
This policy is governed by the laws of India. It does not grant permission to act in any manner inconsistent with applicable law.