Xopoz

1 · Prior Written Authorisation Is Mandatory

To request authorisation, send an email to xopoz@tiritix.com with the subject "White Hat Authorisation Request". Include:

• The scope you intend to test (which endpoints, which client surfaces, which kinds of attacks).
• The dates and approximate hours during which you plan to test.
• The source IP ranges or device identifiers your traffic will originate from.
• How you will report findings.

We aim to respond within five working days. Authorisation, when granted, is delivered in writing, names the authorised researcher, fixes the scope, the test window, and the rules of engagement.

2 · Reward — One Free Year of Xopoz

The reward is granted when, after responsible disclosure, the report meets all of the following:

• The researcher held valid prior written authorisation and stayed within the agreed scope.
• The vulnerability is reproducible, original (not previously known to us), and has a meaningful security impact.
• The researcher gave us a reasonable window to fix the issue before any public disclosure.

Multiple distinct vulnerabilities reported in the same engagement stack: each verified finding adds another year, up to a sensible maximum we will discuss with you.

3 · In-Scope Targets

Once authorisation is granted, the following are typically in scope (subject to the specific authorisation letter):

• The Xopoz Android client (APK published at /xopoz/releases).
• The Xopoz public API at api.tiritix.com/xopoz/v1/*.
• The marketing and product website at tiritix.com and www.tiritix.com.
• Cryptographic protocol design (end-to-end position and message encryption).

4 · Out of Scope

The following are explicitly out of scope and will not earn a reward, even with authorisation:

• Denial-of-service or volumetric attacks of any kind.
• Social engineering of TIRITIX staff, customers, or third parties.
• Physical attacks against TIRITIX premises or hardware.
• Attacks that target other Xopoz users or their data — testing must use accounts you own.
• Findings that require already-compromised devices, rooted clients, or stolen credentials, unless they meaningfully reduce the trust assumptions of the system.
• Reports based purely on automated scanner output without a working proof of concept.
• Best-practice nitpicks (missing security headers, weak TLS ciphers on non-sensitive subdomains, etc.) where no concrete impact can be demonstrated.

5 · Rules of Engagement

• Stay in scope. Do not pivot to systems, accounts, or data that the authorisation letter does not name.
• Use test accounts. Create your own Xopoz accounts and teams; do not interact with other users' data.
• Minimise impact. Stop as soon as you have a working proof of concept. Do not exfiltrate, modify, or delete data beyond what is strictly necessary to demonstrate the issue.
• Do not publish. Coordinate disclosure with us. Public posts, talks, blogs, or social-media threads about findings require our written sign-off and a sensible delay after the fix has shipped.
• Report promptly. Send findings as soon as you have them, with steps to reproduce, expected vs. observed behaviour, impact analysis, and any artefacts (HTTP traces, screenshots, scripts).

6 · Safe Harbour

For researchers who hold valid prior written authorisation and stay within its scope and rules, TIRITIX commits to:

• Not pursue civil or criminal action for activity carried out in good faith under the authorisation.
• Treat the engagement as authorised access for the purposes of applicable computer-misuse legislation.
• Work with you in good faith, including on disclosure timing and credit attribution.

Researchers acting outside this policy — including testing without prior authorisation — receive no safe harbour and may be reported to the relevant authorities.

7 · Contact

All correspondence relating to this policy goes to xopoz@tiritix.com. PGP-encrypted reports are encouraged; ask for the current public key in your first message.