trua.cloud

Security Policy

Last Updated: March 2026
Effective Date: March 2026

Trua takes the security of the Trust Bureau platform and the privacy of credential holders seriously. We welcome responsible disclosure of security vulnerabilities.

Reporting a Vulnerability

If you discover a security vulnerability in the Trust Bureau platform, please report it to:

security@trua.cloud

We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days.

What to Include

  • Description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Affected URL, API endpoint, or component
  • Any proof-of-concept code (if applicable)
  • Your contact information for follow-up

Responsible Disclosure Guidelines

We ask that you:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service testing against production systems
  • Do not use social engineering against Trua employees or partners
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it
  • Do make a good faith effort to avoid privacy violations, data destruction, and service disruption
  • Do limit your testing to your own accounts and test environments where possible

Scope

The following systems are in scope for security research:

  • Trust Bureau platform (bureau.trua.cloud)
  • Trust Bureau API (/api/v1/bureau/*)
  • Holder wallet (/ttb/wallet/*)
  • Issuer, verifier, and bureau portals (/ttb/issuer/*, /ttb/verifier/*, /ttb/bureau/*)
  • Platform documentation (/ttb/*)
  • Published SDKs (@trua/issuer-sdk, @trua/holder-sdk, etc.)

The following are out of scope:

  • Third-party services and vendors (AuthID, Samba Safety, etc.)
  • Social engineering or phishing attacks
  • Denial-of-service attacks
  • Physical security

Our Commitment

  • We will not take legal action against researchers who act in good faith and comply with this policy
  • We will work with you to understand and resolve the issue promptly
  • We will credit you (with your permission) in our security advisories
  • We will notify affected parties if a vulnerability impacts credential holder data

Security Architecture

The Trust Bureau implements multiple security layers:

LayerMechanism
Identity BindingBiometric verification anchors every credential to a real human (Fixed Binding)
Consent GatesNo credential data flows without explicit, auditable holder consent (GP-18)
Cryptographic CredentialsSD-JWT Verifiable Credentials with ES256 signatures
Audit TrailImmutable, append-only evidence log for all operations
Key ManagementPer-issuer ES256 key pairs, DID-based identity, key rotation support
Rate LimitingPer-key and per-IP rate limits on all API endpoints
Webhook IntegrityHMAC-SHA256 signatures on all webhook deliveries
Token DecayCredentials expire automatically — no permanent standing trust

Contact

Security reports: security@trua.cloud
General inquiries: bureau@trua.cloud

This policy is also available in machine-readable format at /.well-known/security.txt per RFC 9116.