Security and Responsible Disclosure Policy

Last updated: June 24, 2026

TvRMM is security-sensitive because it can manage endpoints. The product is built around outbound agents, certificate-based trust, role-scoped access, logged operational actions, and customer-approved support access.

Security posture​

TvRMM is designed to use:

• HTTPS for portal and agent traffic;
• agent identity, trust bundles, and certificate-based authentication where supported;
• route and handler authorization for human-facing actions;
• tenant and organization scoping;
• role-gated mutations;
• deleted-endpoint rejection and certificate revocation paths;
• audit logs, command results, and session records where supported;
• customer-approved and logged support access where technically available.

No security program can guarantee that incidents will never occur. Customers should maintain endpoint backups, safe local administrator access, least-privilege roles, secure credential storage, and tested recovery plans.

Customer responsibilities​

Customers are responsible for:

• securing endpoint administrator credentials;
• reviewing scripts, commands, patch approvals, reboot policies, and remote workflows before use;
• granting roles only to trusted users;
• protecting bootstrap commands, access tokens, and support exports;
• complying with employment, privacy, monitoring, and computer-use laws;
• promptly removing users and agents that should no longer have access.

Vulnerability reports​

Security researchers may report suspected vulnerabilities through the contact form using the security topic. Include:

• a clear description;
• affected URL, endpoint, agent behavior, or component;
• steps to reproduce;
• impact;
• safe proof of concept;
• contact information for follow-up.

Do not include real customer data, secrets, private keys, password dumps, or destructive payloads.

Authorized research boundaries​

Good-faith research should:

• use accounts, tenants, endpoints, and data you own or are authorized to test;
• avoid privacy violations and data exfiltration;
• avoid service disruption, denial of service, spam, phishing, or social engineering;
• avoid persistence, malware, credential theft, or destructive actions;
• stop testing and report promptly if you encounter customer data or service-impacting behavior.

TvRMM does not currently offer a public bug bounty. Reports may be acknowledged, but compensation is not promised unless agreed in writing.

Coordinated disclosure​

TvRMM asks researchers to allow a reasonable remediation period before public disclosure. A typical target is 90 days from report acknowledgement, adjusted for severity, exploitability, and remediation complexity.

Incident notification​

If TvRMM confirms a security incident affecting Customer Data, it will notify affected customers without undue delay unless legally restricted. Notices should include known impact, affected data types, mitigation steps, and recommended customer actions where available.

Security contact​

Use the TvRMM contact form for security questions or vulnerability reports. Do not send secrets through the public form.