Security and Vulnerability Disclosure Policy

Transjt does not operate a paid bug bounty program. We do not offer monetary rewards, swag, or other compensation for vulnerability reports. We still welcome good-faith reports and review every legitimate submission.

Reports that condition disclosure, remediation, or non-disclosure on payment will not be considered eligible for compensation and may be treated as abusive or extortionate.

If you believe you have found a security vulnerability, please email security@transjt.ai with the subject line “Security Vulnerability Report”.

To help us assess and reproduce the issue quickly, please include: 

• A clear description of the vulnerability
• Steps to reproduce it
• Affected URLs, APIs, plugin flows, or integrations
• The potential impact
• Screenshots, logs, or proof-of-concept details, if available
• How we can contact you for follow-up

This policy applies to services operated by Transjt:

• The Transjt Figma plugin
• The Transjt web application
• The Transjt backend APIs
• Transjt authentication and account flows
• Transjt integrations with services such as Figma, HubSpot, WordPress, and Google
• Transjt-owned domains, including transjt.ai and transjt.io

We are aware of the following classes of reports and have made a deliberate, risk-based decision about them. Unless you can demonstrate a concrete, exploitable security impact, the following are out of scope and we will not act on them:

• Missing HTTP security headers (e.g. CSP, HSTS, X-Frame-Options) without a working exploit
• Email configuration findings such as SPF, DKIM, or DMARC policies
• Clickjacking on pages with no sensitive, state-changing actions
• Self-XSS (issues that require a victim to paste content into their own browser)
• Rate limiting, brute force, or application-level denial-of-service concerns without demonstrated impact
• Volumetric or network-level denial-of-service attacks
• Output from automated scanners without a manually validated, confirmed vulnerability
• Social engineering of Transjt staff, users, or contractors
• Physical attacks against Transjt property or infrastructure
• Vulnerabilities in third-party services that Transjt does not control

When researching, please:

• Only test against accounts, projects, files, and integrations that you own or have explicit permission to test.
• Do not access, modify, delete, or exfiltrate data that does not belong to you.
• Do not perform testing that could degrade, disrupt, or deny service to Transjt or its users (including denial-of-service and high-volume automated testing).
• Use findings only to report them to us, and for no other purpose.

If you inadvertently access data that does not belong to you, stop immediately. Do not save, copy, share, or disclose it, and report what happened to us right away.

Please give us a reasonable opportunity to investigate and remediate an issue before disclosing it publicly. We ask researchers not to publicly disclose vulnerability details until a fix or mitigation has been deployed, or until we have agreed on a disclosure timeline.

We will not pursue or support legal action against researchers who, in good faith, comply with this policy — that is, who stay within the scope and testing guidelines above and give us reasonable time to respond before any disclosure. If a third party brings legal action against you for activity that complied with this policy, and the matter is within our ability to address, we will make it known that your actions were conducted under this policy.

This policy does not grant permission to act in any way that is inconsistent with the law, or that could cause Transjt or its users to breach any legal obligation.

For details on how Transjt handles personal data, see our Privacy Policy: https://transjt.ai/privacy