Responsible Disclosure Policy

Last updated: August 19, 2024

At Tremendous, we prioritize the security and privacy of our users and their data. We take all potential security issues seriously and are committed to addressing them promptly. If you believe you have discovered a vulnerability in our platform, we encourage you to report it to us responsibly.

Reporting a Vulnerability

If you identify a security vulnerability, please share the details with us by emailing [email protected]. Include the following information in your report:

  • A detailed description of the vulnerability

  • Steps to reproduce the issue

  • Any supporting evidence, such as screenshots or logs

  • Your contact information

Requesting a copy of our SOC 2 report

Please email your customer success manager, or [email protected] if you do not have one. [email protected] will not be able to help with requests for SOC 2 reports.

Our Commitment

We are committed to addressing security vulnerabilities responsibly. When you report a vulnerability to us, we commit to:

  • Acknowledging receipt of your report within 3 business days

  • Providing an estimated timeline for addressing the vulnerability

  • Notifying you when the issue has been resolved

Safe Harbor

To encourage responsible vulnerability disclosure and protect researchers, Tremendous follows these guidelines:

  • We will not take legal action against researchers who report vulnerabilities in good faith

  • We will not suspend or terminate access to our services for researchers who comply with this policy

  • We will work with researchers to understand and resolve the issue promptly

Scope

This policy applies to vulnerabilities discovered in any of the services provided by Tremendous, including but not limited to:

  • Tremendous website and web applications

  • Tremendous API

  • Tremendous recipient experience

  • Any other services operated by Tremendous

Exclusions

While we appreciate your efforts to identify security vulnerabilities, the following activities are explicitly excluded from this policy:

  • Denial of Service (DoS) attacks

  • Social engineering or phishing attacks

  • Physical attacks on Tremendous property or data centers

Bug Bounty

We do not offer a bug bounty program and, unfortunately, cannot offer financial rewards for reporting vulnerabilities at this time.

Questions

If you have any questions about this policy, please get in touch with us at [email protected].

Thank you for helping us keep Tremendous secure!