Skip to main content
Tendly
Menu

Security

Security and responsible disclosure. Report it, and we will act.

If you believe you have found a security issue in any Tendly product, tell us. We respond to every valid report within 3 business days and work with you through to the fix.

Report a vulnerability

Email security@usetendly.com. Encrypted reports are welcome; request our PGP key in your first message.

Please include a clear description of the issue, reproduction steps, the impact you believe it has, and any proof-of-concept code or screenshots.

Email the security team
Response target
Within 3 business days, every valid report.
Encrypted reports
Supported. Request our PGP key in your first message.
Last updated
May 16, 2026

The agreement

What we ask, and what we promise in return.

Test in good faith and we will treat your work the same way. These are the terms both sides hold to.

What we ask of you

  • Give us reasonable time to investigate and ship a fix before public disclosure.
  • Avoid privacy violations, service disruption, or destruction of data while testing.
  • Only test against accounts you own or have explicit permission to use.
  • Do not attempt social engineering, phishing, or physical attacks against Tendly employees, contractors, partners, or end-customers.

What we promise you

  • We acknowledge your report within 3 business days.
  • We keep you updated on progress through to the fix.
  • We credit you publicly, or keep your report private, your choice, once a fix is shipped.
  • We will not pursue legal action against researchers who follow this policy in good faith.

Scope

What is in scope, and what is not.

Findings against these systems are eligible. The out-of-scope list keeps the signal high so real issues get our full attention.

In scope

  • usetendly.com and the Tendly platform application
  • Tenant-customer subdomains and custom domains served by Tendly
  • The Tendly partner portal and partner API
  • Tendly mobile clients, when shipped

Out of scope

  • Findings that require already-compromised credentials, physical access to a victim device, or a malicious browser extension
  • Volumetric denial-of-service against any production system
  • Reports generated solely by automated scanners with no demonstrated impact
  • Email spoofing without a clear authentication-bypass impact
  • Self-XSS that requires victim cooperation with no privilege escalation
  • Issues affecting EOL browsers or end-of-life software versions

Coordinated disclosure

We work with you through to disclosure.

We follow a coordinated-disclosure model. If you would like to publish a writeup once a fix has shipped, we are happy to review the draft for accuracy and link to it from this page.

Read our security.txt
Security and responsible disclosure | Tendly | Tendly