Security is the product. If you believe you’ve found a vulnerability in a Talarity service, we want to hear from you — and we want to make it safe and straightforward to tell us. This page describes our Coordinated Vulnerability Disclosure (CVD) program: how to report, what we commit to in return, and the rules of engagement that keep good-faith research protected.
Please conduct all testing against our development environment, listed under “What’s in scope” below — primarily https://talarity-dev.web.app. Do not test against production. This protects real customer data while still giving you a faithful copy of the platform to research.
1. How to report
Submit your report through our vulnerability report form. You can report anonymously — no account is required, and email and PGP fingerprint, if you provide them, are hashed before storage and never persisted in plaintext. On submission you’ll receive an opaque report token; keep it, as it’s the handle you’ll use to track status and coordinate with us.
Prefer email? Reach our security team at security@talarity.com. We acknowledge new reports promptly and trade off speed of fix against severity.
2. Safe harbor
Talarity supports good-faith security research. If you submit a vulnerability report through this program and follow this policy, we will not pursue or support legal action against you for accessing, testing, or disclosing the vulnerability. Good-faith means:
- You stop testing as soon as you confirm the issue.
- You do not exfiltrate customer data beyond what is needed to demonstrate the vulnerability.
- You do not disrupt the service or other users.
- You give us the disclosure window described below before publishing details.
3. What’s in scope
- Talarity development web application — https://talarity-dev.web.app
- Talarity development admin console — https://talarity-dev-admin.web.app
- Talarity development marketing site — https://talarity-landing-dev.web.app
- Talarity Cloud Functions backing the development environment (us-central1)
- Talarity-authored open-source repositories
4. What’s out of scope
The following are explicitly out of scope for this program:
- Production services (app.talarity.com, www.talarity.com, *.talarity.com) — please test only against the development environment above
- Customer-owned data inside any tenant — do not access it without that customer’s permission
- Third-party services Talarity integrates with — report those to the relevant vendor instead
- Denial of service through traffic volume
- Social engineering of Talarity employees or customers
- Physical attacks against Talarity offices or infrastructure
5. Coordinated disclosure timeline
We follow a 90-day coordinated disclosure window, consistent with FIRST CVD guidance and ISO/IEC 29147. We ask that you give us up to 90 days from your report to remediate before publishing details publicly. When we ship a fix, we’ll coordinate timing with you and, where affected, notify impacted customers through our security advisory channel. If you need a shorter or longer window for a specific case, tell us in your report and we’ll work it out together.
6. What to include in a good report
- A clear, one-line summary of the issue and its security impact.
- The affected component or URL (for example: login page, vendor portal, a named service).
- Step-by-step reproduction instructions.
- Your severity estimate, if you have one.
- A suggested remediation, if you have a recommendation.
7. Recognition
We’re glad to credit researchers who report valid issues in good faith. If you’d like public credit, include a handle or pseudonym in your report and we’ll name you when the corresponding advisory ships. If you’d rather stay anonymous, that’s fine too.
8. After you report
Use the report token you received to check status, or correspond with us at security@talarity.com. For the complete, authoritative policy — including the live disclosure window and contact details — see our Coordinated Vulnerability Disclosure policy.