Vulnerability Disclosure

TPO Group Vulnerability Disclosure Policy

Last Updated: 25 September 2025

1. Introduction

TPO Group, LLC ("we," "our," or "us") is a cybersecurity consultancy specializing in incident response and cyber risk assessment. We are committed to maintaining the security of our systems, infrastructure, and client data. We recognize that security researchers, ethical hackers, and the cybersecurity community play a vital role in helping organizations identify and address security vulnerabilities.

This Vulnerability Disclosure Policy outlines how security researchers can responsibly report security vulnerabilities they discover in our systems, and how we will respond to such reports.

2. Scope

This policy covers vulnerabilities in:

Our corporate IT infrastructure and systems
Our digital assets and online services directly hosted or controlled by us
Any systems or services directly operated by TPO Group, LLC
Custom applications or tools we develop and maintain

Out of Scope:

Our website (tpo.group): This is hosted on the Wix platform. Any vulnerabilities related to our website should be reported directly to Wix at security@wix.com or through their responsible disclosure program
Third-party services we use but do not control
Client systems or infrastructure (these should be reported directly to the affected client)
Physical security issues at our offices
Social engineering attacks against our employees

3. Safe Harbor

TPO Group, LLC supports responsible security research and will not pursue legal action against researchers who:

Follow this vulnerability disclosure policy
Act in good faith to report vulnerabilities
Do not intentionally harm our systems, data, or users
Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability
Do not publicly disclose vulnerabilities before we have had reasonable time to address them

We commit to working with security researchers to understand and address security vulnerabilities in accordance with this policy.

4. Responsible Disclosure Guidelines

When conducting security research on TPO Group systems, please:

4.1 Do:

Use only your own accounts and data for testing
Respect our systems' availability and performance
Report vulnerabilities promptly through our designated channels
Provide detailed information to help us understand and reproduce the issue
Allow reasonable time for us to investigate and address the vulnerability
Maintain confidentiality until the vulnerability is resolved

4.2 Don't:

Access, modify, or delete data that does not belong to you
Disrupt our services or degrade system performance
Perform testing that could harm our business operations or client services
Share or publicly disclose vulnerability information before resolution
Attempt to gain unauthorized access to client data or systems
Engage in social engineering attacks against our employees or clients

5. Reporting Process

5.1 How to Report

To report a security vulnerability, please send an email to: security@tpo.group

5.2 Information to Include

Please include the following information in your report:

Vulnerability Description: Clear explanation of the security issue
Affected Systems: Specific URLs, systems, or components affected
Impact Assessment: Potential impact and severity of the vulnerability
Reproduction Steps: Detailed steps to reproduce the vulnerability
Proof of Concept: Screenshots, videos, or other evidence (if applicable)
Your Contact Information: For follow-up questions and coordination
Discovery Date: When you first identified the vulnerability

5.3 Sensitive Reports

For highly sensitive vulnerability reports, please clearly mark your email as "CONFIDENTIAL - SECURITY VULNERABILITY" in the subject line. We maintain secure email practices and encrypted communications for sensitive security matters.

6. Our Response Process

6.1 Initial Response

You will receive an automated response acknowledging receipt of your submission and thanking you for your report
We will internally assess your report to determine its validity and potential impact
We will provide a response to you if we are able to confirm the validity of your report

6.2 Ongoing Communication

Based on our internal assessment of the report's criticality and our available resources, we may not be able to provide detailed status updates or additional information beyond our initial response.

6.3 Our Commitment

Regardless of our ability to provide ongoing communication, we sincerely thank you for your care for the safety and security of the internet. We will do our best to use any information you provide us to improve information security.

6.4 Resolution Approach

As a cybersecurity consultancy, we understand the importance of addressing security vulnerabilities appropriately and will prioritize confirmed issues based on their severity and impact.

6.5 Public Disclosure

We support responsible disclosure practices
We will not publicly disclose vulnerabilities until they have been appropriately addressed
After resolution, we may publish information about the vulnerability and our response
We will make reasonable efforts to coordinate with you on any public disclosure and provide appropriate credit when possible

7. Recognition and Rewards

7.1 Recognition

We believe in recognizing security researchers who help improve our security posture:

Public acknowledgment on our website (with your permission)
Recognition in our security advisories (if applicable)
Professional reference or recommendation (upon request)

7.2 Monetary Rewards

While we do not currently operate a formal bug bounty program, we may provide:

Discretionary monetary rewards for significant vulnerabilities
Charitable donations in your name for critical security issues
TPO Group branded merchandise or conference materials

Rewards are determined on a case-by-case basis considering the vulnerability's impact, quality of the report, and adherence to this policy.

8. Types of Vulnerabilities

We are particularly interested in reports of:

Remote code execution vulnerabilities
SQL injection and other injection attacks
Cross-site scripting (XSS) vulnerabilities
Authentication and authorization bypass issues
Data exposure or privacy vulnerabilities
Significant business logic flaws
Server-side request forgery (SSRF)
Insecure direct object references

Lower Priority Issues:

Self-XSS requiring significant social engineering
Rate limiting issues without clear impact
Missing security headers without demonstrated exploitation
Clickjacking on non-sensitive pages
Issues requiring physical access to our facilities

9. Legal Considerations

9.1 Good Faith Research

This policy is designed to be compatible with common vulnerability research activities. We will not initiate legal action for activities that are conducted in accordance with this policy.

9.2 Third-Party Systems

If you discover vulnerabilities in third-party systems while researching our infrastructure, please report them directly to the affected vendor and notify us if the issue impacts our security posture.

9.3 Law Enforcement

We will not involve law enforcement for good faith security research conducted in accordance with this policy.

10. Contact Information

For vulnerability reports and security-related inquiries:

TPO Group, LLC

Primary Contact: security@tpo.group
Business Address: 255 S King St Ste 800, Seattle, WA 98104
Website: tpo.group

For questions about secure communication or reporting procedures, please contact us at the above email addresses.

11. Policy Updates

This Vulnerability Disclosure Policy may be updated from time to time to reflect changes in our security practices, legal requirements, or industry standards. Updates will be posted on our website at tpo.group with the revised "Last Updated" date.

12. Commitment to Security

As cybersecurity professionals, we understand the importance of maintaining robust security practices and appreciate the efforts of the security research community. This policy reflects our commitment to:

Protecting our clients' interests and data
Maintaining the security of our own systems and operations
Supporting responsible security research
Contributing to the broader cybersecurity community

This vulnerability disclosure policy demonstrates our commitment to cybersecurity best practices and our appreciation for the security research community's contributions to improving overall security posture.

TPO Group Vulnerability Disclosure Policy

​

Last Updated: 25 September 2025

1. Introduction

​

This Vulnerability Disclosure Policy outlines how security researchers can responsibly report security vulnerabilities they discover in our systems, and how we will respond to such reports.

​

2. Scope

​

This policy covers vulnerabilities in:

Our corporate IT infrastructure and systems

Our digital assets and online services directly hosted or controlled by us

Any systems or services directly operated by TPO Group, LLC

Custom applications or tools we develop and maintain

Out of Scope:

Our website (tpo.group): This is hosted on the Wix platform. Any vulnerabilities related to our website should be reported directly to Wix at security@wix.com or through their responsible disclosure program

Third-party services we use but do not control

Client systems or infrastructure (these should be reported directly to the affected client)

Physical security issues at our offices

Social engineering attacks against our employees

3. Safe Harbor

​

TPO Group, LLC supports responsible security research and will not pursue legal action against researchers who:

Follow this vulnerability disclosure policy

Act in good faith to report vulnerabilities

Do not intentionally harm our systems, data, or users

Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability

Do not publicly disclose vulnerabilities before we have had reasonable time to address them

We commit to working with security researchers to understand and address security vulnerabilities in accordance with this policy.

4. Responsible Disclosure Guidelines

​

When conducting security research on TPO Group systems, please:

4.1 Do:

Use only your own accounts and data for testing

Respect our systems' availability and performance

Report vulnerabilities promptly through our designated channels

Provide detailed information to help us understand and reproduce the issue

Allow reasonable time for us to investigate and address the vulnerability

Maintain confidentiality until the vulnerability is resolved

4.2 Don't:

Access, modify, or delete data that does not belong to you

Disrupt our services or degrade system performance

Perform testing that could harm our business operations or client services

Share or publicly disclose vulnerability information before resolution

Attempt to gain unauthorized access to client data or systems

Engage in social engineering attacks against our employees or clients

5. Reporting Process

5.1 How to Report

To report a security vulnerability, please send an email to: security@tpo.group

5.2 Information to Include

Please include the following information in your report:

Vulnerability Description: Clear explanation of the security issue

Affected Systems: Specific URLs, systems, or components affected

Impact Assessment: Potential impact and severity of the vulnerability

Reproduction Steps: Detailed steps to reproduce the vulnerability

Proof of Concept: Screenshots, videos, or other evidence (if applicable)

Your Contact Information: For follow-up questions and coordination

Discovery Date: When you first identified the vulnerability

5.3 Sensitive Reports

For highly sensitive vulnerability reports, please clearly mark your email as "CONFIDENTIAL - SECURITY VULNERABILITY" in the subject line. We maintain secure email practices and encrypted communications for sensitive security matters.

6. Our Response Process

​

6.1 Initial Response

You will receive an automated response acknowledging receipt of your submission and thanking you for your report

We will internally assess your report to determine its validity and potential impact

We will provide a response to you if we are able to confirm the validity of your report

6.2 Ongoing Communication

Based on our internal assessment of the report's criticality and our available resources, we may not be able to provide detailed status updates or additional information beyond our initial response.

​

6.3 Our Commitment

Regardless of our ability to provide ongoing communication, we sincerely thank you for your care for the safety and security of the internet. We will do our best to use any information you provide us to improve information security.

​

6.4 Resolution Approach

As a cybersecurity consultancy, we understand the importance of addressing security vulnerabilities appropriately and will prioritize confirmed issues based on their severity and impact.

​

6.5 Public Disclosure

We support responsible disclosure practices

We will not publicly disclose vulnerabilities until they have been appropriately addressed

After resolution, we may publish information about the vulnerability and our response

We will make reasonable efforts to coordinate with you on any public disclosure and provide appropriate credit when possible