Coordinated disclosure

Found a security issue?

Tell us. We’ll work the fix with you, credit your research, and won’t pursue legal action against good-faith researchers.

How to report

Email security@ttlongevity.com

Please include:

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step reproduction instructions, including any URLs, requests, or accounts you used.
  • Any supporting screenshots, logs, or proof-of-concept code (please don’t include real PHI; use a test account).
  • Your name or handle if you’d like credit, or a note that you’d prefer to remain anonymous.

If the issue is sensitive enough that email feels uncomfortable, request our PGP key in the same message and we’ll reply with one before you share details.

What you can expect

Our response timeline.

  • 1Acknowledgement within 2 business days. A human, not a robot, will confirm we received the report and assigned it to a specific engineer.
  • 2Triage within 5 business days. We’ll confirm the vulnerability, assess severity, and share a rough fix timeline. If we can’t reproduce it, we’ll ask for more information rather than closing it silently.
  • 3Fix and verification. Critical issues are typically resolved within 30 days; high-severity within 60; medium within 90. We’ll keep you in the loop and ask you to verify the fix in the affected environment.
  • 4Coordinated public disclosure. When the fix is shipped, we’ll publish a brief writeup if appropriate — with credit to you, unless you’ve asked to remain anonymous — and welcome you to publish your own.
Scope

What’s in scope.

  • www.ttlongevity.com — the marketing site (this site).
  • beta.ttlongevity.com — the running TTL application.
  • Any TTL-owned API endpoint reachable from the application.
  • Authentication and session handling (JWT, OAuth flows).

What’s out of scope.

  • Third-party services (Stripe, Render hosting, OAuth providers, AI provider APIs) — please report those to the vendor directly.
  • Volumetric denial-of-service testing. Don’t do it.
  • Social engineering of TTL staff or our customers.
  • Physical attacks on TTL property or cloud datacenters.
  • Reports based purely on missing security headers without a demonstrated impact.
Safe harbor

If you act in good faith, we won’t come after you.

We won’t pursue legal action, suspend accounts, or contact your employer about security research that is:

  • Conducted on your own test accounts, not other users’ data.
  • Limited to what’s necessary to demonstrate the issue — you don’t need to dump tables, access PHI in bulk, or exfiltrate data to make a point.
  • Reported to security@ttlongevity.com before being made public.
  • Compliant with applicable laws and regulations in your jurisdiction.

Real-user PHI is never an acceptable target. If you discover that a vulnerability gives access to other users’ data, stop, document the path, and report it — we’ll handle the cleanup.

United States: good-faith research within this scope is consistent with the U.S. Department of Justice’s May 2022 policy on charging Computer Fraud and Abuse Act (18 U.S.C. § 1030) cases, which directs federal prosecutors to decline charges for good-faith security research. We will not assert claims against you under the CFAA, the Digital Millennium Copyright Act’s anti-circumvention provisions, or analogous state laws for activity that meets the conditions above.

México: investigación de buena fe dentro de este alcance no será perseguida por nosotros bajo los artículos 211 bis 1 a 211 bis 7 del Código Penal Federal (acceso ilícito a sistemas y equipos de informática) ni bajo la Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP). Te pedimos reportar a security@ttlongevity.com antes de divulgar públicamente.

Help us keep TTL safe.

Send us a write-up. We'll work the fix with you and credit your research.

Start free trial How it works