Updated January 19, 2026

At Tieriun, we take the security of our systems and the privacy of our users seriously. We appreciate the research community and welcome vulnerability reports from independent researchers who identify issues in our platforms.

Important: No Bounty / Reward Program

Please be aware that Tieriun does not operate a paid Bug Bounty Program. We do not offer financial rewards or compensation for vulnerability reports. We express our gratitude to researchers who report issues responsibly by acknowledging their contribution (upon request and verification), but we will not entertain demands for payment.

Reporting Guidelines

If you believe you have found a security vulnerability, please report it to us at: security@tieriun.com

Please include:

  1. A description of the vulnerability.
  2. Steps to reproduce the issue (POC).
  3. The potential impact.

Safe Harbor

We support safe harbor for researchers who:

  1. Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  2. Only interact with accounts you own or have explicit permission to use.
  3. Report the vulnerability directly to us and allow us a reasonable amount of time to resolve the issue before making it public.

If you follow these guidelines, Tieriun will not pursue legal action against you regarding your research.

Out of Scope (Non-Qualifying Vulnerabilities)

To save your time and ours, please do not report the following, as we do not consider them critical vulnerabilities requiring immediate attention or attribution:

  1. Email Configuration: Missing or loose SPF, DKIM, or DMARC records.
  2. HTTP Headers: Missing security headers (e.g., HSTS, CSP, X-Frame-Options, X-Content-Type-Options) without a proof of exploitation.
  3. Information Disclosure: Server version banners, public files (robots.txt, security.txt), or non-sensitive exposed paths.
  4. Volume-based attacks: DoS/DDoS, brute forcing, or rate limiting issues.
  5. UI/UX bugs: Clickjacking on pages with no sensitive actions, text injection.
  6. Automated scan reports generated by tools (e.g., Burp Suite, Nessus) without manual validation.

Response Timeline

We will acknowledge receipt of your report. However, due to the volume of automated spam, we may not respond to reports that fall into the "Out of Scope" category listed above or reports that demand payment as a prerequisite for disclosure.