01
Introduction
This Security Policy describes the vulnerability-reporting process and security practices for the T3 Code desktop and mobile applications, the hosted application at https://app.t3.codes, the optional T3 Connect service, and the T3 Code website at https://t3.codes.
T3 Code connects software running on your devices and in environments you control with coding-agent harnesses and providers you choose. We secure the software and infrastructure operated by T3 Tools, but we do not control the security of your devices, environments, repositories, networks, credentials, or third-party providers. Please review the shared responsibilities below when assessing risk.
02
Reporting Security Issues
If you believe you have found a security vulnerability affecting T3 Code or T3 Tools-operated infrastructure, email security@ping.gg. Please do not disclose the issue publicly until we have had a reasonable opportunity to investigate and remediate it.
Please include, when available:
- A description of the issue and its potential impact;
- The affected application, version, URL, endpoint, or component;
- Clear reproduction steps or a minimal proof of concept;
- Relevant logs, screenshots, or request and response details with secrets removed; and
- Your preferred contact information and whether you want public credit.
We aim to acknowledge complete reports within one business day, keep reporters informed of material progress, and coordinate disclosure after a fix is available. Resolution time varies with severity, complexity, and dependencies on third parties.
03
Responsible Research and Safe Harbor
We support good-faith security research. If you make a genuine effort to comply with this policy, avoid harm, respect privacy, and report findings promptly, we will treat your research as authorized and will not initiate legal action against you for accidental, good-faith violations of this policy. If a third party initiates legal action concerning compliant research, we will make our authorization known where appropriate.
To remain within this safe harbor, you must:
- Test only accounts, data, and systems you own or have explicit permission to test;
- Stop and report immediately if you encounter personal, confidential, or production data;
- Access only the minimum information needed to demonstrate the issue;
- Avoid disrupting availability, degrading performance, or damaging or deleting data;
- Not use social engineering, phishing, physical attacks, or denial-of-service testing;
- Not test third-party services or infrastructure outside T3 Tools’ control; and
- Give us reasonable time to address the issue before public disclosure.
This safe harbor does not authorize violations of law or activity outside the scope of this policy. Vulnerability rewards are not guaranteed and, if offered, are determined by T3 Tools in its discretion.
04
Our Security Practices
We use administrative, technical, and organizational safeguards designed for the nature of T3 Code and the information processed by T3 Tools-operated services. These practices include:
- Data minimization. T3 Code is designed so coding-session content can remain between your clients, your environment, and the harnesses and providers you configure. We process information through T3 Tools-operated infrastructure only when needed for a feature you enable.
- Encrypted transport. T3 Tools-operated network services use encrypted transport. Supported connection flows use scoped credentials and security controls designed to reduce unauthorized reuse.
- Credential protection. T3 Code uses platform-provided protected storage for credentials and session tokens where supported. We design operational logging to avoid collecting secrets that are not needed to operate or troubleshoot the Services.
- Access controls. Access to production systems and operational data is limited according to job responsibilities and protected using authentication and authorization controls.
- Maintenance and monitoring. We monitor T3 Tools-operated services for reliability and security events, review dependencies, and deploy updates and mitigations as appropriate.
- Established providers. We use specialized providers for services such as authentication, hosting, and application distribution and evaluate the controls relevant to their role.
No system is completely secure. These practices reduce risk but do not guarantee that the Site or Services will be free from vulnerabilities or unauthorized access.
05
Your Responsibilities
Because you control much of the T3 Code execution path, you play an important role in securing it. You are responsible for:
- Keeping T3 Code, your operating systems, and connected tools up to date;
- Securing your devices, repositories, environments, networks, and backups;
- Protecting account, provider, repository, and environment credentials;
- Using multi-factor authentication where your identity and coding-agent providers support it;
- Granting providers and integrations only the permissions they need;
- Reviewing commands, source changes, and other agent output before applying or executing it;
- Removing lost or unused devices and revoking credentials you believe may be compromised; and
- Following the security policies of your selected harnesses, providers, and infrastructure.
Do not send passwords, API keys, access tokens, or private keys in a vulnerability report. Revoke any secret that may have been exposed before sharing sanitized evidence with us.
06
Updates to This Policy
We may update this Security Policy as T3 Code, our infrastructure, and security practices evolve. We will post revisions at this URL and update the dates above. Material changes to the vulnerability-reporting process or safe-harbor terms will apply prospectively.
07
Contact Us
Report security issues or ask security-related questions at security@ping.gg.
For general legal questions, contact legal@t3.tools. For privacy requests, contact privacy@t3.tools.