If you believe you have found very serious vulnerability, we ask that you encrypt the message to the security.turnkey.com PGP key (FP: AD6C 3E61 17A5 886E 550E F8BB 3ACD E5EA 8DC7 9275). This can also be found on Turnkey’s website at https://www.turnkey.com/.well-known/security.asc

Upon receiving a report, our team promptly assesses and prioritizes the vulnerability based on its severity and potential impact. We then take reasonable and appropriate steps to mitigate and remediate the identified risks in accordance with our internal policies and timelines. Where feasible, we will endeavor to keep the reporter informed throughout the process. Our approach is designed to ensure confidentiality and offer safe harbor to researchers, promising that those who report vulnerabilities ethically and in good faith will not face legal action.

We expect reporters to treat vulnerability reports submitted to Turnkey, along with all associated information and/or data, with a high degree of care, use it solely for the purpose of reporting to Turnkey, and to not disclose it to any third parties without our written consent. With the reporter’s consent, we may publicly disclose details of the vulnerability and acknowledge their contribution after it has been resolved.

For further inquiries or more information about our program, please contact our security team at security@turnkey.com.

Bug bounty submissions

Use the form below to directly submit vulnerabilities for triage and evaluation as part of our bug bounty program.