TrekMail TrekMail

TrekMail — Security & Vulnerability Disclosure Policy

Effective Date: January 17, 2026

Last Updated: March 26, 2026

1. Introduction and Purpose

TrekGuider Inc. ("TrekMail," "we," "us," or "our") is committed to the security of our users and the integrity of our services. This Security & Vulnerability Disclosure Policy ("Policy") outlines the rules of engagement for security researchers ("Researcher" or "you") to report potential vulnerabilities discovered in TrekMail's products and services (collectively, the "Services").

This Policy constitutes a set of binding guidelines. By submitting a report to TrekMail, you agree to comply with the terms set forth herein.

Infrastructure Location: TrekMail's email infrastructure is hosted in the European Union (France). All email data — including mailbox contents, metadata, and logs — is stored and processed within the EU, subject to GDPR protections.

2. Safe Harbor and Legal Status

TrekMail supports safe, productive, and robust security research.

A. Authorization Under the CFAA

If you conduct your research and reporting activities in strict compliance with this Policy, TrekMail will:

  1. Consider your research to be "authorized" under the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good-faith violations of this Policy.
  2. Waive any relevant restrictions in our Terms of Service (TOS) that would prohibit the specific non-disruptive testing required to conduct your research.

B. DMCA Exemption

TrekMail will not bring a claim against you for circumvention of technology controls (e.g., under the Digital Millennium Copyright Act (DMCA)) where such circumvention is essential to the research and is performed solely to identify security flaws.

C. Limitations on Safe Harbor

This Safe Harbor applies ONLY to legal claims under TrekMail's control. We cannot authorize activity on third-party systems (e.g., our hosting providers, payment processors). If legal action is initiated by a third party (e.g., law enforcement or another vendor) against you because of your activities, and you have complied with this Policy, TrekMail will take reasonable steps to make it known that your actions were conducted in compliance with this Policy.

3. Scope of Program

A. In-Scope Assets

We accept reports regarding:

  • TrekMail web application, customer dashboards, and administrative interfaces.
  • TrekMail REST API (v1) and associated authentication endpoints.
  • TrekMail MCP (Model Context Protocol) server and AI agent integration layer.
  • TrekMail Email Verifier service, including bulk verification endpoints and credit purchase flows.
  • Authentication (OAuth/SSO) and authorization logic, including social login providers and two-factor authentication.
  • TrekMail-managed mail infrastructure (MTA-STS, TLS configurations, routing logic) specifically operated by us.

B. Out-of-Scope and Prohibited Activities

The following activities are strictly prohibited and will result in immediate disqualification from Safe Harbor protections:

  • Physical Attacks: Any attempt to gain physical access to our offices, data centers, or employees.
  • Social Engineering: Phishing, vishing, or any manipulation of TrekMail employees, contractors, or customers.
  • Denial of Service (DoS/DDoS): Any testing that degrades the performance or availability of the Services.
  • Data Destruction: Deleting, corrupting, or modifying data that does not belong to you.
  • Automated Scanning: High-volume automated scanners that trigger rate limits or abuse detection systems.
  • Third-Party Systems: Vulnerabilities in third-party libraries or vendors (e.g., Stripe, PayPal, AWS/GCP underlying infrastructure) unless the issue arises directly from TrekMail's implementation.

4. Reporting Protocol

We do not publish public email addresses for security reporting to prevent spam and abuse. Reports must be submitted via the following channels:

  1. Support Ticket (Preferred): Submit a ticket via the TrekMail dashboard labeled "Security / Vulnerability Report."
  2. Web Form: If you cannot access the dashboard, use the public contact form on our website, clearly prefacing the message with "SECURITY DISCLOSURE."
  3. Postal Mail:
    TrekGuider Inc.
    Attn: Security Team
    1207 Delaware Ave, #2058
    Wilmington, DE 19806
    United States

Content of Report:

To help us validate your finding, your report must include:

  • The specific URL, endpoint, or component affected.
  • A step-by-step "Proof of Concept" (PoC) to reproduce the issue.
  • Evidence of the issue (screenshots, video, or HTTP logs).
  • Your assessment of the impact.

Warning: Do not include sensitive Personal Identifiable Information (PII) of other users in your report. If you encounter PII, stop immediately and report the existence of the vulnerability without extracting the data.

5. Coordinated Disclosure Timeline

To protect our user base, we request a standard coordinated disclosure window:

  • 90-Day Embargo: You agree to refrain from disclosing the vulnerability to the public or any third party for 90 days following our acknowledgement of your report, or until we have deployed a fix, whichever occurs first.
  • Extensions: In cases of complex vulnerabilities, we may request an extension of this window.
  • Early Disclosure: TrekMail may authorize earlier disclosure in writing if the risk is mitigated sooner.

6. Intellectual Property and License

By submitting a report, suggestion, or code snippet to TrekMail:

  1. You represent and warrant that the content is your own original work.
  2. You grant TrekMail and its affiliates a perpetual, irrevocable, worldwide, royalty-free, fully paid-up, non-exclusive, sub-licensable license to use, reproduce, modify, display, distribute, and otherwise exploit the feedback and information provided for any purpose (including fixing the bug and improving our Services).

7. Compensation (No Bug Bounty)

This is a Vulnerability Disclosure Program (VDP), NOT a Bug Bounty Program.

Unless explicitly stated otherwise in a separate written agreement:

  • TrekMail does not guarantee monetary rewards, bounties, or compensation for vulnerability reports.
  • Any reward or recognition (such as "Hall of Fame" credit or swag) is provided entirely at TrekMail's sole discretion.

8. General Provisions

  • No Contract: This Policy does not create a contract between you and TrekMail.
  • Modifications: We reserve the right to modify this Policy at any time. Updates will be effective upon posting.
  • Compliance with Laws: You are responsible for complying with all applicable local and national laws during your research. If you are located in a country under US sanctions (e.g., OFAC lists), we cannot provide you with any form of recognition or reward.

9. Contact

For questions regarding this Policy, please contact us via the support channels listed in Section 4 or via mail at our Wilmington, DE address.

We use cookies for essential functionality. No ads, no ad tracking.

or
Continue with Google Continue with Facebook Continue with X Continue with Microsoft
or
Continue with Google Continue with Facebook Continue with X Continue with Microsoft

Reset email sent

If an account exists for this email, we've sent password reset instructions.

By continuing, you agree to TrekMail's Terms and Privacy Policy.