Introduction
Tarian Cyber welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.

Scope
All of Tarian Cyber's assets are in scope unless otherwise stated in the Out-of-Scope section below.
This includes:
• *.tarian.com.au
• *.tariancyber.com.au
• Third party systems used by Tarian Cyber, just ensure you get consent from the third party before starting the hacks.
We will only acknowledge submissions that have real-world impact. To better prove this impact, a working Proof of Concept is highly recommended and may result in a better outcome. We will not accept theoretical vulnerabilities such as TLS vulns and missing security headers, unless you can show impact.

Out of Scope
• Any other domains owned by Tarian Cyber that are not defined in the in Scope section above;
• Social engineering of any kind;
• Physical attacks against team members or property;
• Denial of Service type attacks; and
• Actions that violate Australian and Queensland State law.

Commitments
When working with us, according to this policy, you can expect us to:
• Respond to your report promptly, and work with you to understand and validate your report;
• Strive to keep you informed about the progress of a vulnerability as it is processed;
• Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
• Extend Safe Harbor for your vulnerability research that is related to this policy.

Expectations
When working with us according to this policy, you can expect us to:
• Work with you to understand and validate your report, including a timely initial response to the submission;
• Work to remediate discovered vulnerabilities in a timely manner; and
• Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

Official Channels
Please report security issues via security@tarian.com.au, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.

Disclosure Policy
Discretionary Disclosure: The researcher or Tarian Cyber can request mutual permission to share details of the vulnerability after approval is explicitly received.

We value the work of researchers and the benefit of public disclosure. To that end, we encourage researchers to request permission from us prior to disclosing their findings. If permissions is granted, the researchers should ensure any sensitive and confidential information is removed or redacted prior to publishing.

Rewards
We reward based on the impact of the finding, the quality of the report and how much effort went into the PoC. Keep in mind, that we are a small company but we are hoping to increase our rewards as we grow.
Rewards will be assessed and allocated on a case by case basis.


Vulnerability Disclosure Policy