Vulnerability Disclosure Policy

Last Updated: May 2026

Purpose

Traction Complete Technologies Inc. is committed to ensuring the security of its products and services. This Vulnerability Disclosure Policy (VDP) establishes a clear and transparent process for external security researchers, customers, and partners to report potential security vulnerabilities in a responsible manner. We value the contributions of the security community and are committed to working collaboratively to identify and address security issues that affect our customers and systems.

Scope

This policy applies to all products and systems developed and operated by Traction Complete Technologies Inc., including:

• Applications and managed packages hosted on the Salesforce platform
• APIs, services, and applications hosted on Traction Complete-managed infrastructure, including AWS-hosted products

This policy does not extend to third-party platforms or services that Traction Complete relies on but does not operate, such as the Salesforce core platform itself, or any underlying cloud infrastructure provider services.

Reporting Vulnerability

If you believe you have discovered a security vulnerability in any Traction Complete product or system, please submit your report to: security@tractioncomplete.com

To help us triage your report effectively, please include as much of the following as possible:

• A clear description of the vulnerability and its potential impact
• The specific product, service, or system affected
• Detailed steps to reproduce the issue, including any URLs, endpoints, or payloads involved
• Proof-of-concept code, screenshots, or logs if available
• Your assessment of the severity and exploitability of the issue

We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it. We ask for a coordinated disclosure window of up to 90 days from the date of acknowledgement, after which you are free to publish your findings. If exceptional circumstances require more time, we will communicate this to you proactively and work with you on an agreed timeline.

Our Commitments

Upon receiving a vulnerability report, Traction Complete Technologies Inc. commits to the following:

• Acknowledgement: We will acknowledge receipt of your report within 72 hours.
• Triage and Communication: We will investigate your report and keep you informed of our progress. We will provide updates as the investigation develops, including when the vulnerability has been assigned a severity and when remediation is underway.
• Severity Assessment: Reported vulnerabilities will be assessed and classified in accordance with our internal severity framework. Critical and high-severity vulnerabilities are prioritized for remediation within 30 days where technically feasible. For vulnerabilities that cannot be remediated within standard timelines, a risk treatment plan and target remediation date will be documented internally.
• Resolution Notification: We will notify you when the reported vulnerability has been resolved.

Our internal handling of reported vulnerabilities follows the processes defined in our Incident Response Plan and Operations Security Policy, both of which govern how security issues are escalated, documented, and remediated across our organization.

Responsible Research Guidelines

To ensure research is conducted safely and does not impact our customers or systems, we ask that researchers:

• Only test against systems and accounts they own or have explicit authorization to test
• Avoid accessing, modifying, exfiltrating, or destroying data beyond what is minimally necessary to demonstrate the vulnerability
• Do not perform denial-of-service attacks, spam, social engineering, or physical attacks against Traction Complete systems, personnel, or customers
• Do not exploit vulnerabilities beyond initial proof-of-concept verification
• Do not interact with or test against customer data or customer-owned Salesforce instances
• Report findings promptly and refrain from sharing details with any third party prior to coordinated disclosure

Safe Harbour

Traction Complete Technologies Inc. will not pursue civil or criminal action against security researchers who discover and report vulnerabilities in good faith and in compliance with this policy.

We consider security research conducted in accordance with these guidelines to be authorized activity under our information security policies.

We will not refer such activity to law enforcement unless we are legally obligated to do so. If legal action is initiated by a third party against a researcher who has acted in good faith under this policy, we will take reasonable steps to make clear that the research was conducted in accordance with this policy.