TrumpWatch

Security & Responsible Disclosure

Last updated: 2026-05-27

We take the security of TrumpWatch seriously and welcome reports from security researchers. This policy explains what is in scope, how to report a vulnerability, and the protections we offer to good-faith researchers. A machine-readable version of our contact details is published at /.well-known/security.txt.

1. How to report

Email security@trumpstockwatch.com with enough detail for us to reproduce the issue: affected URL or endpoint, a description of the vulnerability, reproduction steps, and any proof-of-concept. Please do not include third parties' data in your report.

2. Scope

In scope:

  • The TrumpWatch web application at its primary production domain and its API endpoints.
  • Authentication, authorisation, billing, and data-exposure issues affecting our own systems.

Out of scope:

  • Vulnerabilities in third-party services we use (Stripe, Resend, Neon, Vercel) — please report those to the relevant provider.
  • Reports from automated scanners without a demonstrated, exploitable impact.
  • Denial-of-service, volumetric, or rate-limit testing; social engineering of our staff or users; physical attacks.
  • Missing security headers or best-practice suggestions without a concrete exploit.
  • Spam, or issues requiring a rooted/jailbroken device or MITM.

3. Rules of engagement

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
  • Only interact with accounts you own or have explicit permission to test. Do not access, modify, or exfiltrate other users' data.
  • Give us a reasonable time to remediate before any public disclosure, and coordinate timing with us.

4. Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorised, we will not pursue or support legal action against you for it, and we will work with you to understand and resolve the issue quickly. If a third party brings legal action against you for activity conducted in line with this policy, we will make that authorisation known. This is not a waiver of any rights of third parties.

5. Our response targets

  • Acknowledgement — within 3 business days of your report.
  • Triage and severity assessment — within 10 business days.
  • Resolution — as quickly as the severity warrants; we will keep you updated on progress.

6. Rewards

We do not currently operate a paid bug-bounty program. We are grateful for responsible disclosures and are happy to credit researchers (with your permission) once an issue is resolved.

7. Contact

Security contact: security@trumpstockwatch.com.