Skip to main content

Reporting a vulnerability

Turnkey highly values the security of our software, services, and systems and we actively encourage the ethical reporting of any security vulnerabilities discovered. We invite researchers and users to report potential security vulnerabilities to us via email at When submitting a report, please provide a thorough description of the vulnerability, including steps to reproduce it and its potential impact. We are committed to acknowledging all legitimate reports within five (5) business days of receipt.

Upon receiving a report, our team promptly assesses and prioritizes the vulnerability based on its severity and potential impact. We then take reasonable and appropriate steps to mitigate and remediate the identified risks in accordance with our internal policies and timelines. Where feasible, we will endeavor to keep the reporter informed throughout the process. Our approach is designed to ensure confidentiality and offer safe harbor to researchers, promising that those who report vulnerabilities ethically and in good faith will not face legal action.

We expect reporters to treat vulnerability reports submitted to Turnkey, along with all associated information and/or data, with a high degree of care, use it solely for the purpose of reporting to Turnkey, and to not disclose it to any third parties without our written consent. With the reporter's consent, we may publicly disclose details of the vulnerability and acknowledge their contribution after it has been resolved.

This responsible disclosure program will be reviewed and, if necessary, updated annually to reflect evolving security threats and best practices in vulnerability management.

For further inquiries or more information about our program, please contact our security team at