## Security Policy for TLT-Turbo GmbH, Germany

### Purpose and Scope

This security policy establishes the principles and procedures for handling security issues and vulnerabilities in our IT systems and services. It applies to all employees, contractors, and external security researchers.

### Responsibilities

Our security team is responsible for implementing this policy and processing all incoming security reports.

### Reporting Security Issues

1. External researchers and employees are requested to report security issues using the contact details provided in the security.txt file.

### Handling of Security Reports

1. All reports will be acknowledged within the next working day.
2. Our team will assess and prioritise reported issues within 5 working days.
3. We will keep the reporter informed of progress and notify them upon resolution of the issue.

### Disclosure Policy

1. We request responsible disclosure and allow 90 days for remediation before details are published.
2. After remediation, we will coordinate with the reporter on a joint disclosure.

### Legal Protection

We will not pursue legal action against security researchers who act in good faith and in accordance with this policy.

### Rewards

We currently do not operate a bug bounty programme. However, we offer to publicly acknowledge the work of security researchers in our Hall of Fame, which is referenced in our security.txt file. This acknowledgement is on an opt-in basis; researchers can choose whether they wish to be included.

### Communication

For initial contact and non-sensitive information, please use the email address provided. For secure communication of sensitive information, we offer the Signal Messenger via our signal.me link. We also accept secure file-sharing services with end-to-end encryption. All necessary contact details are available in our security.txt file.

### Updates

This policy is reviewed annually and updated as necessary.

Last updated: 2025-12-10