security.turnkey.com PGP key (FP: AD6C 3E61 17A5 886E 550E F8BB 3ACD E5EA 8DC7 9275). This can also be found on Turnkey’s website at https://www.turnkey.com/.well-known/security.asc.txt
Upon receiving a report, our team promptly assesses and prioritizes the vulnerability based on its severity and potential impact. We then take reasonable and appropriate steps to mitigate and remediate the identified risks in accordance with our internal policies and timelines. Where feasible, we will endeavor to keep the reporter informed throughout the process. Our approach is designed to ensure confidentiality and offer safe harbor to researchers, promising that those who report vulnerabilities ethically and in good faith will not face legal action. Turnkey offers monetary rewards of up to $50,000 for valid reports, determining the rewarded amount based on the severity of the vulnerability.
We expect reporters to treat vulnerability reports submitted to Turnkey, along with all associated information and/or data, with a high degree of care, use it solely for the purpose of reporting to Turnkey, and to not disclose it to any third parties without our written consent. With the reporter’s consent, we may publicly disclose details of the vulnerability and acknowledge their contribution after it has been resolved.
For further inquiries or more information about our program, please contact our security team at security@turnkey.com.