Discovered a security vulnerability?
Tell us about it
Vulnerabilities in Titan OS Products or Titan OS Websites
This policy applies to Titan OS consumer products (TV firmware, backend services, and official websites). If you believe you have found a vulnerability, please report it confidentially via security@titanos.tv (PGP key available in our /.well-known/security.txt).
After you have submitted your report, we will respond to your report quickly and aim to triage your report within the following working days. We will also aim to keep you informed of our progress. Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows our teams to focus on the remediation.
At this time, Titan OS does not offer monetary rewards. We may, however, provide acknowledgment or hall of fame credits.
Research conducted in good faith under this policy will be considered authorized, and we will not pursue legal action or refer it to law enforcement
Sensitive and Personal Information
Never attempt to access personal or sensitive data. If you inadvertently obtain such information:
STOP testing immediately.
DO NOT save, copy, disclose, or transfer the data.
ALERT us right away at security@titanos.tv and assist with containment.
Out-of-Scope Vulnerabilities
The items below are generally out of scope:
Physical attacks requiring disassembly, JTAG, or debug ports
Social engineering or phishing
Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks of any kind, including but not limited to network floods, resource exhaustion, or power cycling
Issues affecting only rooted/modified TVs or unsupported firmware builds
UI glitches or cosmetic errors with no security impact
Crashes that do not lead to code execution or privilege escalation
DRM or HDCP bypass attempts (particularly those touching on copyright infringement)
Image metadata or version disclosures without exposing sensitive data
Theoretical or scanner-only vulnerability reports without a proof-of-concept
Vulnerabilities in assets or systems not owned or controlled by the vendor (third-party assets/domains)
Clickjacking or open redirect issues on non-sensitive pages without demonstrated impact
CSRF on non-sensitive or unauthenticated endpoints
Missing security best practices unless they enable real exploitation
Lack of rate limiting on non-sensitive actions
Broken links, mixed content, error pages, or debug pages revealing nothing sensitive
Self‑XSS or self‑DoS that cannot be used to attack other users
Known or publicly disclosed vulnerabilities without a PoC
Physical, social engineering, or fraud-based attacks even in other programs
If a proof of concept shows that any of the above does affect confidentiality, integrity, or authenticity of Titan OS assets, we will treat it as in-scope.The use of automated tools to discover vulnerabilities is not permitted. Any reports generated by automated tools will be rejected. We reserve the right to take legal action against the use of automated tools that negatively impact the confidentiality, integrity, or availability of our systems
Report Policy
Reach us: security@titanos.tv (encrypt with our PGP key if possible).
Include: organization & contact name, clear description, reproduction steps, impact, and—where applicable—firmware version or URL.
Proof-of-concepts (screenshots, videos) are welcome; mark hosted media as private.
Mitigation suggestions are appreciated.
Keep all vulnerability communications confidential and coordinate any public disclosure with us.
Reports must be in English.
Duplicate submissions: only the first reporter is credited.
We may reject reports that fall under the out-of-scope list or do not follow this policy.
We’ll keep you informed
You will be notified of every major step (acknowledgement, triage result, fix progress, public release).
Thank you
Titan OS believes in responsible disclosure and appreciates your efforts to keep our users safe.
