TKOResearch LLC · 1500 Chestnut Street Suite 2, Philadelphia, PA 19102
Introduction
TKOResearch welcomes security researchers who help us improve the security of our systems. This policy describes how to report vulnerabilities to us and what you can expect in return.
We are committed to working with researchers who act in good faith to identify and report security issues. We will not take legal action against researchers who follow this policy.
Scope
This policy applies to the following TKOResearch systems:
tkoresearch.com and all subdomains
API endpoints associated with tkoresearch.com
TKOResearch-operated email systems
Out of Scope
The following are explicitly excluded from this policy:
Third-party services we use (Vercel, Resend, etc.) - report to those vendors directly
Physical security of our facilities
Social engineering of TKOResearch employees
Denial of service attacks
Any testing that could degrade service for other users
Description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the issue
Affected URL, parameter, or component
Screenshots or proof-of-concept (if applicable)
Your assessment of the severity
Your contact information for follow-up questions
What to Expect
Acknowledgment: We will acknowledge receipt of your report within 5 business days
Assessment: We will evaluate the report and determine if it qualifies as a valid vulnerability
Updates: We will keep you informed of our progress toward remediation
Resolution: We aim to resolve valid vulnerabilities within 90 days, depending on severity and complexity
Credit: With your permission, we will publicly acknowledge your contribution after the issue is resolved
Safe Harbor
We will not pursue legal action against you if you:
Act in good faith to avoid privacy violations, data destruction, and service disruption
Do not access, modify, or delete data belonging to others
Stop testing and report immediately upon discovering a vulnerability
Do not exploit the vulnerability beyond what is necessary to demonstrate it
Give us reasonable time to remediate before public disclosure
Do not conduct testing that could harm our systems or users
This safe harbor does not extend to violations of law, testing against systems not listed in scope, or actions that harm TKOResearch users or third parties.
Guidelines for Researchers
Do:
Test only against your own accounts where applicable
Report vulnerabilities promptly
Provide sufficient detail to reproduce the issue
Keep vulnerability details confidential until we have remediated
Do Not:
Access, download, or modify data that does not belong to you
Perform actions that could harm availability (DoS, resource exhaustion)
Use automated scanners that generate excessive traffic
Test against production systems when staging/test environments are available
Disclose vulnerabilities publicly before they are fixed
Demand payment or threaten disclosure
Rewards
We do not currently offer a paid bug bounty program. However, we are happy to:
Publicly acknowledge your contribution (with your permission)
Provide a reference letter for security researchers who report significant findings
Policy Updates
This policy may be updated from time to time. The effective date at the top of this page indicates when the policy was last revised. This policy expires December 17, 2026, at which point it will be reviewed and renewed.
Contact
For questions about this policy or to report a vulnerability: