TKOResearch
Menu

Vulnerability Disclosure Policy

Effective: December 17, 2025

TKOResearch LLC · 1500 Chestnut Street Suite 2, Philadelphia, PA 19102

Introduction

TKOResearch welcomes security researchers who help us improve the security of our systems. This policy describes how to report vulnerabilities to us and what you can expect in return.

We are committed to working with researchers who act in good faith to identify and report security issues. We will not take legal action against researchers who follow this policy.

Scope

This policy applies to the following TKOResearch systems:

  • tkoresearch.com and all subdomains
  • API endpoints associated with tkoresearch.com
  • TKOResearch-operated email systems

Out of Scope

The following are explicitly excluded from this policy:

  • Third-party services we use (Vercel, Resend, etc.) - report to those vendors directly
  • Physical security of our facilities
  • Social engineering of TKOResearch employees
  • Denial of service attacks
  • Any testing that could degrade service for other users

How to Report

Send vulnerability reports to:

What to Include

Please include the following in your report:

  • Description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Affected URL, parameter, or component
  • Screenshots or proof-of-concept (if applicable)
  • Your assessment of the severity
  • Your contact information for follow-up questions

What to Expect

  • Acknowledgment: We will acknowledge receipt of your report within 5 business days
  • Assessment: We will evaluate the report and determine if it qualifies as a valid vulnerability
  • Updates: We will keep you informed of our progress toward remediation
  • Resolution: We aim to resolve valid vulnerabilities within 90 days, depending on severity and complexity
  • Credit: With your permission, we will publicly acknowledge your contribution after the issue is resolved

Safe Harbor

We will not pursue legal action against you if you:

  • Act in good faith to avoid privacy violations, data destruction, and service disruption
  • Do not access, modify, or delete data belonging to others
  • Stop testing and report immediately upon discovering a vulnerability
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it
  • Give us reasonable time to remediate before public disclosure
  • Do not conduct testing that could harm our systems or users

This safe harbor does not extend to violations of law, testing against systems not listed in scope, or actions that harm TKOResearch users or third parties.

Guidelines for Researchers

Do:

  • Test only against your own accounts where applicable
  • Report vulnerabilities promptly
  • Provide sufficient detail to reproduce the issue
  • Keep vulnerability details confidential until we have remediated

Do Not:

  • Access, download, or modify data that does not belong to you
  • Perform actions that could harm availability (DoS, resource exhaustion)
  • Use automated scanners that generate excessive traffic
  • Test against production systems when staging/test environments are available
  • Disclose vulnerabilities publicly before they are fixed
  • Demand payment or threaten disclosure

Rewards

We do not currently offer a paid bug bounty program. However, we are happy to:

  • Publicly acknowledge your contribution (with your permission)
  • Provide a reference letter for security researchers who report significant findings

Policy Updates

This policy may be updated from time to time. The effective date at the top of this page indicates when the policy was last revised. This policy expires December 17, 2026, at which point it will be reviewed and renewed.

Contact

For questions about this policy or to report a vulnerability: