TrekMail — Security & Vulnerability Disclosure Policy

1. Introduction and Purpose

TrekGuider Inc. ("TrekMail," "we," "us," or "our") is committed to the security of our users and the integrity of our services. This Security & Vulnerability Disclosure Policy ("Policy") outlines the rules of engagement for security researchers ("Researcher" or "you") to report potential vulnerabilities discovered in TrekMail's products and services (collectively, the "Services").

This Policy constitutes a set of binding guidelines. By submitting a report to TrekMail, you agree to comply with the terms set forth herein.

Infrastructure Location: TrekMail uses infrastructure and service providers in multiple jurisdictions to operate the Services. Core mailbox infrastructure may be hosted in the European Union, while file storage, supporting systems, security tooling, logs, and subprocessors may operate in other jurisdictions subject to applicable safeguards.

2. Safe Harbor and Legal Status

TrekMail supports safe, productive, and robust security research.

A. Authorization Under the CFAA

If you conduct your research and reporting activities in strict compliance with this Policy, TrekMail will:

1. Consider your research to be "authorized" under the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good-faith violations of this Policy.
2. Waive any relevant restrictions in our Terms of Service (TOS) that would prohibit the specific non-disruptive testing required to conduct your research.

B. DMCA Exemption

TrekMail will not bring a claim against you for circumvention of technology controls (e.g., under the Digital Millennium Copyright Act (DMCA)) where such circumvention is essential to the research and is performed solely to identify security flaws.

C. Limitations on Safe Harbor

This Safe Harbor applies ONLY to legal claims under TrekMail's control. We cannot authorize activity on third-party systems (e.g., our hosting providers, payment processors). If legal action is initiated by a third party (e.g., law enforcement or another vendor) against you because of your activities, and you have complied with this Policy, TrekMail will take reasonable steps to make it known that your actions were conducted in compliance with this Policy.

3. Scope of Program

A. In-Scope Assets

We accept reports regarding:

• TrekMail web application, customer dashboards, and administrative interfaces.
• TrekMail REST API (v1) and associated authentication endpoints.
• TrekMail MCP (Model Context Protocol) server and AI agent integration layer.
• TrekMail Email Verifier service, including bulk verification endpoints and credit purchase flows.
• TrekMail Drive and Account Drive authorization logic, including file upload, download, folder management, Trash, quota enforcement, and account-level shared folder controls.
• Public Drive download links, link creation and revocation, expiry, download-limit behavior, and authorization controls implemented by TrekMail.
• Authentication (OAuth/SSO) and authorization logic, including social login providers and two-factor authentication.
• TrekMail-managed mail infrastructure (MTA-STS, TLS configurations, routing logic) specifically operated by us.

B. Out-of-Scope and Prohibited Activities

The following activities are strictly prohibited and will result in immediate disqualification from Safe Harbor protections:

• Physical Attacks: Any attempt to gain physical access to our offices, data centers, or employees.
• Social Engineering: Phishing, vishing, or any manipulation of TrekMail employees, contractors, or customers.
• Denial of Service (DoS/DDoS): Any testing that degrades the performance or availability of the Services.
• Data Destruction: Deleting, corrupting, or modifying data that does not belong to you.
• Automated Scanning: High-volume automated scanners that trigger rate limits or abuse detection systems.
• Third-Party Systems: Vulnerabilities in third-party libraries, infrastructure, object storage providers, payment processors, CDNs, or vendors unless the issue arises directly from TrekMail's implementation or configuration.
• Public Link Abuse or Content Complaints: Reports that a public Drive link contains illegal, infringing, or abusive content should be submitted through the abuse or support channels described in our Terms and Acceptable Use Policy, not through this vulnerability disclosure process unless the report also identifies a security vulnerability.

4. Reporting Protocol

We do not publish public email addresses for security reporting to prevent spam and abuse. Reports must be submitted via the following channels:

1. Support Ticket (Preferred): Submit a ticket via the TrekMail dashboard labeled "Security / Vulnerability Report."
2. Web Form: If you cannot access the dashboard, use the public contact form on our website, clearly prefacing the message with "SECURITY DISCLOSURE."
3. Postal Mail:
   TrekGuider Inc.
   Attn: Security Team
   1207 Delaware Ave, #2058
   Wilmington, DE 19806
   United States

Content of Report:

To help us validate your finding, your report must include:

• The specific URL, endpoint, or component affected.
• A step-by-step "Proof of Concept" (PoC) to reproduce the issue.
• Evidence of the issue (screenshots, video, or HTTP logs).
• Your assessment of the impact.

Examples of potentially high-impact Drive findings include unauthorized cross-account file access, public link authorization bypass, unauthorized shared-folder modification, quota bypass with security impact, or exposure of another customer's file metadata. Do not access, download, copy, modify, or delete data that does not belong to you.

Warning: Do not include sensitive Personal Identifiable Information (PII) of other users in your report. If you encounter PII, stop immediately and report the existence of the vulnerability without extracting the data.

5. Coordinated Disclosure Timeline

To protect our user base, we request a standard coordinated disclosure window:

• 90-Day Embargo: You agree to refrain from disclosing the vulnerability to the public or any third party for 90 days following our acknowledgement of your report, or until we have deployed a fix, whichever occurs first.
• Extensions: In cases of complex vulnerabilities, we may request an extension of this window.
• Early Disclosure: TrekMail may authorize earlier disclosure in writing if the risk is mitigated sooner.

6. Intellectual Property and License

By submitting a report, suggestion, or code snippet to TrekMail:

1. You represent and warrant that the content is your own original work.
2. You grant TrekMail and its affiliates a perpetual, irrevocable, worldwide, royalty-free, fully paid-up, non-exclusive, sub-licensable license to use, reproduce, modify, display, distribute, and otherwise exploit the feedback and information provided for any purpose (including fixing the bug and improving our Services).

7. Compensation (No Bug Bounty)

This is a Vulnerability Disclosure Program (VDP), NOT a Bug Bounty Program.

Unless explicitly stated otherwise in a separate written agreement:

• TrekMail does not guarantee monetary rewards, bounties, or compensation for vulnerability reports.
• Any reward or recognition (such as Hall of Fame credit or swag) is provided entirely at TrekMail's sole discretion.

8. General Provisions

• No Contract: This Policy does not create a contract between you and TrekMail.
• Modifications: We reserve the right to modify this Policy at any time. Updates will be effective upon posting.
• Compliance with Laws: You are responsible for complying with all applicable local and national laws during your research. If you are located in a country under US sanctions (e.g., OFAC lists), we cannot provide you with any form of recognition or reward.

9. Contact

For questions regarding this Policy, please contact us via the support channels listed in Section 4 or via mail at our Wilmington, DE address.