Vulnerability Disclosure

TuxlerVPN Mobile welcomes coordinated security research conducted in good faith. This page describes the scope of our disclosure programme, how to report a vulnerability, our response commitments, and the recognition we offer. This programme is part of our broader Security Practices and complements the contractual restrictions in the EULA and Acceptable Use Policy.

Scope

The following components are in scope:

• The TuxlerVPN Mobile Android application as distributed through Google Play.
• The TuxlerVPN Mobile website at tuxlervpn.app.
• Public-facing API endpoints used by the Android app (for example, apivpn.tuxlervpn.app).

The following are out of scope:

• Third-party services TuxlerVPN Mobile depends on (Google Play, Sentry, our customer-support provider, our web hosting provider, the Tuxler cloud infrastructure providers). Report issues in those products directly to their respective vendors.
• Denial-of-service and volumetric attacks, traffic flooding, and resource exhaustion.
• Social engineering of TuxlerVPN Mobile personnel, processors, or customers.
• Physical attacks, theft, or attempts to obtain unauthorised access to TuxlerVPN Mobile premises.
• Spam, brute-forcing, and automated credential stuffing.
• Reports requiring already-compromised devices or access to a victim’s account that we have not authorised.
• Vulnerabilities in software versions older than the current Google Play release of the TuxlerVPN Mobile Android app.

Safe harbour

Security research conducted in good faith and within the scope above is authorised. TuxlerVPN Mobile will not pursue legal action against researchers for activity that:

• Stays within the in-scope assets listed above.
• Avoids degrading availability for other users (no denial-of-service, no volumetric testing).
• Does not access, modify, or destroy data belonging to anyone other than yourself or a test account you control.
• Stops at proof of vulnerability, does not exfiltrate data or pivot to other systems.
• Reports the issue to us promptly using the channel below and gives us a reasonable opportunity to remediate before any public disclosure.

If you are unsure whether a particular test is in scope, ask first by emailing [email protected].

How to report

Email [email protected] with as much detail as you can provide:

• The affected component (Android app version, URL, or API endpoint).
• A clear description of the issue and its impact.
• Step-by-step reproduction instructions, including any payloads or proof-of-concept code.
• Your preferred contact method and the name (or handle) you would like used in any public acknowledgement.

We aim to acknowledge receipt of every in-scope report by reply email. Where a report is incomplete we will write back asking for the additional detail needed.

Our response commitment

After acknowledgement we triage the report and confirm a remediation plan with you. Our target timelines, measured from the point we accept the finding, are:

• Critical severity: target remediation within 30 days.
• High severity: target remediation within 60 days.
• Medium severity: target remediation within 90 days.
• Low severity: best effort, scheduled into upcoming releases.

We follow a coordinated disclosure model. The default coordinated-disclosure window is 90 days from acknowledgement. We may agree a longer window with you when a fix requires a coordinated platform release (for example, a Google Play rollout) or where remediation depends on a third-party vendor. Please do not publish details of the issue before the agreed window expires. Doing so falls outside the safe-harbour terms above.

Recognition

TuxlerVPN Mobile does not currently offer a monetary bug-bounty programme. We acknowledge contributors publicly, with their consent, in the Hall of Fame section below. We may introduce a paid programme in the future. If we do, we will update this page accordingly.

Hall of fame

No public acknowledgements yet. Be the first.

What is not a vulnerability report

The following do not require a security report. Please use the channels indicated:

• General customer-support enquiries: [email protected].
• Reports of abusive behaviour by other users: [email protected] with the subject Abuse Report (see Supported & Prohibited Use Cases).
• Copyright complaints: see the DMCA Policy.
• Privacy-rights requests (access, deletion, etc.): see Privacy Rights.
• Law-enforcement requests: see the Law-Enforcement Request Policy.

Updates

This page is reviewed when our security posture changes. Last reviewed: 3 May 2026.