Responsible Disclosure

Last updated: January 17, 2025

At Terac, we care deeply about the safety and security of our customer's data. We greatly value inputs from our community that can help us detect vulnerabilities in our product and services.

How to report an issue

If you have discovered an issue or vulnerability that is in-scope (see below), please send an email to security@terac.com with the following details:

  • A summary of the vulnerability and potential impact
  • Steps to reproduce the issue, including screenshots
  • Details of your environment including OS, browser, and device details
  • If possible, proof-of-concept code to exploit the vulnerability

Upon receiving your email, our team will conduct an investigation. We will update you on our progress, and may request further details if needed.

Response timeline

  • Acknowledgment — within 5 business days
  • Initial assessment — within 10 business days
  • Resolution — based on severity (critical: 24-48 hours, high: 7 days, medium: 30 days)

Rewards

We offer rewards for valid, previously unidentified reports based on the severity (CVSS) of the vulnerability:

  • Critical (CVSS 9.0+) — up to $500
  • High (CVSS 7.0-8.9) — up to $200
  • Medium (CVSS 4.0-6.9) — up to $50

Lower-severity and other original reports will be considered at our discretion, and may be recognized on our security page or with financial compensation.

In scope

  • https://terac.com and all subdomains
  • Terac mobile applications (iOS)
  • Terac API endpoints
  • Terac GitHub apps and repositories

Out-of-scope

  • Automated scanning
  • Social engineering, particularly involving Terac employees
  • Brute force attacks
  • DDOS attacks
  • Clickjacking on pages with no sensitive actions
  • Theoretical attacks without proof of exploitability
  • Attacks requiring physical access to a victim's device
  • Denial of service attacks

We kindly ask you

  • Test the vulnerability on your own account. If testing on another account, make sure to have requested explicit permission
  • Do not copy or destroy production data
  • Do not engage in activities that will cause downtime for our services
  • Avoid violations to our privacy policies, terms of service, and other data privacy regulation
  • Do not make the vulnerability public before reporting it to us via the procedures above, and giving us enough time to properly address the issue
  • Do not demand payment or other compensation in exchange for withholding or disclosing a vulnerability

Happy hacking 💚

Ready to recruit quality experts, fast?

Unlock the power of AI-led screening and gain deeper understanding of who's powering your research.

Try for freeContact us
© 2026 All Rights Reserved by Terac