Security
Run-True Decision Vulnerability Disclosure Program
Run-True Decision welcomes good-faith reports of security vulnerabilities affecting RTD software, RTD-operated systems, release artifacts, or security processes.
Contact
Send vulnerability reports to security@run-true.com.
Please include enough information for RTD to understand, reproduce, and assess the issue without sending secrets, credentials, production customer data, regulated data, or unnecessary personally identifiable information.
Scope
In Scope
- Vulnerabilities in shipped RTD Fraud Decision Engine (FDE) software.
- Vulnerabilities in RTD release packages, container images, delivery artifacts, dependency use, or release-integrity processes.
- Vulnerabilities in RTD-operated websites, sandbox, demo, pilot, or support systems where RTD controls the runtime.
- Vulnerabilities in RTD source, build, CI/CD, vulnerability intake, advisory, or security evidence workflows.
Out of Scope
- Customer-operated production FDE deployments, bank environments, customer data centers, customer cloud accounts, customer monitoring systems, customer backups, customer identity providers, and customer incident-response systems.
- Systems owned or operated by RTD customers, partners, vendors, cloud providers, or third parties unless that party has separately authorized the testing.
- Demo-only or out-of-scope repositories that do not affect production FDE, customer data, production controls, monitoring, audit, or evidence systems.
- Social engineering, phishing, spam, physical attacks, denial-of-service, destructive testing, persistence, malware, credential attacks, data exfiltration, or attempts to access data that is not yours.
If you are unsure whether a target is in scope, ask RTD before testing.
Research Rules
- Act in good faith and stay within this policy.
- Avoid privacy impact, data destruction, service disruption, and degradation of RTD or customer systems.
- Stop testing and report immediately if you encounter customer data, personal data, credentials, secrets, or regulated data.
- Avoid public disclosure until RTD has confirmed the issue, assessed customer impact, and had a reasonable opportunity to remediate or coordinate.
- Provide a clear report with affected product or system, steps to reproduce, impact, evidence, and any suggested mitigation.
Do not submit exploit code, raw production data, secrets, credentials, or unredacted support artifacts unless RTD explicitly requests them through an approved private channel.
Safe Harbor Intent
RTD does not intend to pursue legal action against good-faith security research that is authorized by this policy, avoids privacy and service impact, and is reported promptly through the approved contact channel.
This safe harbor statement applies only to RTD-owned or RTD-operated systems within the scope above. It does not authorize testing of customer-operated production systems or third-party systems. It also does not waive laws, customer contracts, third-party rights, or obligations outside RTD's authority.
What RTD Will Do
- Acknowledge critical reports within 1 hour where practical.
- Acknowledge high reports within 4 hours where practical.
- Acknowledge medium reports within 1 business day where practical.
- Acknowledge low reports within 5 business days where practical.
- Triage severity, affected versions, customer impact, and shared responsibility boundaries.
- Keep sensitive vulnerability details confidential until disclosure is reviewed.
- Provide patched-release, mitigation, advisory, or no-exploit-path decisions according to the vulnerability disclosure and patched-release SLA process.
Target Patched-Release Timelines
| Severity | Target |
|---|---|
| Critical | 7 days where RTD owns the fix and has enough information to validate the exploit path. |
| High | 30 days where RTD owns the fix and has enough information to validate the exploit path. |
| Medium | Next minor release or risk-based patch train. |
| Low | Quarterly roll-up or next suitable release. |
These are target response and remediation windows, not uptime, bounty, or service-level guarantees.
Customer Production Boundary
RTD FDE is commonly deployed in customer-operated environments. Customers own their production infrastructure, runtime monitoring, backups, identity provider, access administration, deployment timing, local incident response, and regulatory breach notification.
RTD does not authorize security testing against customer-operated production deployments through this VDP. If a report concerns a customer-operated deployment, contact the customer through their approved channel and contact RTD only for RTD product vulnerability triage, patched-release guidance, or support-artifact handling.
Bounty and Recognition
RTD does not currently operate a bug bounty or paid reward program. RTD may acknowledge researchers in release notes or advisories when disclosure timing, customer confidentiality, and researcher preference allow it.
Public Disclosure
Do not publicly disclose vulnerability details until RTD has confirmed the issue, assessed affected releases and customer impact, prepared any needed private customer advisory, and approved disclosure timing.
RTD may publish customer-safe release notes, advisories, or CVE information when the exploit path, affected release, customer impact, and communication plan have been reviewed.
Last updated: June 20, 2026
Machine-readable security contact: /.well-known/security.txt