Responsible Disclosure

DRAFT — pending outside-counsel review. This policy has not been reviewed or approved by counsel. It is published in good faith during the pre-launch period to honor RFC 9116 and provide a clear channel for security researchers. Substantive terms (especially safe-harbor scope) may change after counsel review.

Last updated: 2026-04-30 · Effective: [pending counsel sign-off] · Policy version: 0.1

Reporting a vulnerability

If you have discovered a security issue affecting teraplex.us or its subdomains, please report it to security@teraplex.us.

Interim fallback (pre-launch). Domain email is being provisioned. If security@teraplex.us bounces, please send a brief message via LinkedIn noting that you have a security disclosure and we will reply with a working address. Do not include vulnerability details in the LinkedIn message itself.

We commit to acknowledging your report within 2 business days and providing an initial assessment within 10 business days.

Scope

In scope:

  • teraplex.us and any first-party subdomain we operate
  • Backend APIs, form handlers, and authenticated endpoints we own
  • Vulnerabilities in our own code, configuration, or content

Out of scope:

  • Third-party platforms we integrate with (Vercel, Cloudflare, HubSpot, Twilio, Postmark, Plausible, Heap, Segment, Osano) — please report directly to those vendors
  • Issues in browsers, operating systems, or third-party libraries unless triggerable through our specific configuration
  • Social-engineering attacks against Teraplex personnel or our customers
  • Physical access to our offices or hardware
  • Denial-of-service attacks (volumetric or otherwise)
  • Reports of email-spoofing risk that don't include a workable proof-of-concept (we welcome SPF / DKIM / DMARC observations as suggestions, not findings)
  • Reports based solely on automated scanner output without manual validation
  • Best-practice / hardening recommendations without a concrete vulnerability

What we ask of you

  • Give us reasonable time to investigate and remediate before any public disclosure (we target 90 days from acknowledgment, longer for complex issues by mutual agreement)
  • Make a good-faith effort to avoid privacy violations, data exfiltration beyond what's needed to demonstrate the issue, and degradation of service
  • Do not test on accounts or data that don't belong to you. Do not access more data than necessary to confirm the vulnerability
  • Do not run automated vulnerability scanners at high request rates against our infrastructure
  • Provide enough information for us to reproduce — affected URL, payload or steps, expected vs. actual behavior, and your environment

Safe harbor

If you make a good-faith effort to comply with this policy in connection with security research and vulnerability disclosure, we will not pursue or support legal action against you for the research itself. We waive any restriction in our Terms of Use that would otherwise prohibit your activity, to the extent it complies with this policy.

This safe-harbor commitment does not extend to: actions that exceed the scope above; activity that violates federal or state law (including unauthorized access beyond what's needed to demonstrate a vulnerability); harm to data subjects, customers, or third parties; or activity directed at platforms not operated by Teraplex Inc.

We cannot grant safe harbor on behalf of third parties whose systems may be incidentally affected (Vercel, Cloudflare, HubSpot, Twilio, etc.). Please review the disclosure policies of those vendors before testing any vulnerability that touches their infrastructure.

Recognition

We currently do not run a paid bug-bounty program. Researchers who identify issues we consider material and confirmable will, with their permission, be acknowledged on a forthcoming Security Acknowledgments page. We expect to formalize a bounty program in connection with our SOC 2 Type II audit — see Privacy Policy §security for the broader Year-2 trajectory.

Encryption

If you wish to encrypt your report, request a current PGP key by writing to the contact address above. We will publish a long-lived public key once the security mailbox migration is complete.

Hall of fame

None yet. We are pre-launch as of 2026-04-30.

Changes to this policy

We may update this policy as our security program matures (Year-2 SOC 2 Type II is the next major change trigger). Material changes will be reflected in the policy version above and at /.well-known/security.txt.

Contact

security@teraplex.us

Teraplex Inc. (a Delaware corporation in formation)

RFC 9116 file: /.well-known/security.txt