Responsible Disclosure & Vulnerability Handling Policy (Beta)

At Teya, we take the security and privacy of our customers, partners, and systems seriously. We appreciate the efforts of security researchers and ethical hackers who help us identify vulnerabilities responsibly.This document outlines how to report vulnerabilities to us and what you can expect from Teya throughout the disclosure process.

📥 Reporting a Security Vulnerability

If you believe you’ve discovered a security vulnerability that affects Teya systems, services, products, or partners, please report it responsibly to our security team.

Report via email:
Report a security vulnerability

Include in your report:

• A clear description of the issue

• Steps to reproduce

• The potential impact

• Any relevant tools, logs, or screenshots

• Suggested fix or mitigation (optional)

We aim to acknowledge your report within 3 business days and provide regular updates.

Our Commitments to You

If you act in good faith and within scope:

• We won’t pursue legal action.

• We will not ask you to sign an NDA specific to the vulnerability.

• We’ll credit your contribution if you wish.

• We may offer non-monetary recognition, including swag or public thanks.

What’s in Scope

You may test and report issues in:

• Public-facing *.teya.com domains

• Teya APIs and SDKs

• Mobile and web applications (latest versions)

• Integrations and sandbox environments

🚫 What’s Out of Scope

Please DO NOT use:

• Social engineering or phishing

• Physical security testing

• DDoS or spam attacks

• Accessing or modifying others' data

We may reject reports that include:

• Clickjacking on static pages

• Missing HTTP security headers

• Outdated libraries without exploitation

• SPF/DMARC misconfigs with no abuse

Disclosure Timeline

Our standard disclosure window is 90 days from the date of your first report.

• If no response is received in 30 days, we may disclose the issue publicly.

• If resolved earlier, we may coordinate disclosure with the fix release.

• We allow a grace period of up to 14 days upon request, with strong communication.

Communication Principles

• We will keep you informed at each stage.

• We expect reciprocal transparency — update us as you test or observe.

• We welcome questions, clarifications, and deep technical engagement.

What We May Publish

• Technical details of validated vulnerabilities

• Proof-of-concepts or tools for detection (non-weaponized)

• Disclosure timeline and collaboration summary

• Mitigation advice or patches (jointly, where possible)

• CVE identifiers, if applicable

Our Policy Philosophy

Security isn't binary. We tailor disclosure based on context:

• If a vulnerability is already being exploited or leaked, we may accelerate disclosure.

• If the vendor is inexperienced, we may extend timelines and guide them.

We believe in coordinated disclosure, with the safety of end users as our priority.

Feedback & Questions

Have feedback on this policy or a process suggestion?

📧 Email us at: security@teya.com (DO NOT send reports here)