Skip to main content
tendly
Answering nowStart free

Security and responsible disclosure

Last updated: May 16, 2026

Report a vulnerability

If you believe you have found a security issue in any Tendly product, please email security@tendly.com. Encrypted reports are welcome; request our PGP key in your first message.

Please include a clear description of the issue, reproduction steps, the impact you believe it has, and any proof-of-concept code or screenshots. We respond to all valid reports within 3 business days.

What we ask

  • Give us reasonable time to investigate and ship a fix before public disclosure.
  • Avoid privacy violations, service disruption, or destruction of data while testing.
  • Only test against accounts you own or have explicit permission to use.
  • Do not attempt social engineering, phishing, or physical attacks against Tendly employees, contractors, partners, or end-customers.

What we promise

  • We will acknowledge your report within 3 business days.
  • We will keep you updated on progress through to fix.
  • We will credit you publicly (or keep your report private, your choice) once a fix is shipped.
  • We will not pursue legal action against researchers who follow this policy in good faith.

In scope

  • usetendly.com and the Tendly platform application
  • Tenant-customer subdomains and custom domains served by Tendly
  • The Tendly partner portal and partner API
  • Tendly mobile clients (when shipped)

Out of scope

  • Findings that require already-compromised credentials, physical access to a victim device, or a malicious browser extension
  • Volumetric denial-of-service against any production system
  • Reports generated solely by automated scanners with no demonstrated impact
  • Email spoofing without a clear authentication-bypass impact
  • Self-XSS that requires victim cooperation with no privilege escalation
  • Issues affecting EOL browsers or end-of-life software versions

Coordinated disclosure

We follow a coordinated-disclosure model. If you would like to publish a writeup once a fix has shipped, we are happy to review the draft for accuracy and link to it from this page. The full Tendly security.txt is available at /.well-known/security.txt.