Responsible Disclosure Policy
Last updated: August 19, 2024
At Tremendous, we prioritize the security and privacy of our users and their data. We take all potential security issues seriously and are committed to addressing them promptly. If you believe you have discovered a vulnerability in our platform, we encourage you to report it to us responsibly.
Reporting a Vulnerability
If you identify a security vulnerability, please share the details with us by emailing [email protected]. Include the following information in your report:
A detailed description of the vulnerability
Steps to reproduce the issue
Any supporting evidence, such as screenshots or logs
Your contact information
Requesting a copy of our SOC 2 report
Please email your customer success manager, or [email protected] if you do not have one. [email protected] will not be able to help with requests for SOC 2 reports.
Our Commitment
We are committed to addressing security vulnerabilities responsibly. When you report a vulnerability to us, we commit to:
Acknowledging receipt of your report within 3 business days
Providing an estimated timeline for addressing the vulnerability
Notifying you when the issue has been resolved
Safe Harbor
To encourage responsible vulnerability disclosure and protect researchers, Tremendous follows these guidelines:
We will not take legal action against researchers who report vulnerabilities in good faith
We will not suspend or terminate access to our services for researchers who comply with this policy
We will work with researchers to understand and resolve the issue promptly
Scope
This policy applies to vulnerabilities discovered in any of the services provided by Tremendous, including but not limited to:
Tremendous website and web applications
Tremendous API
Tremendous recipient experience
Any other services operated by Tremendous
Exclusions
While we appreciate your efforts to identify security vulnerabilities, the following activities are explicitly excluded from this policy:
Denial of Service (DoS) attacks
Social engineering or phishing attacks
Physical attacks on Tremendous property or data centers
Bug Bounty
We do not offer a bug bounty program and, unfortunately, cannot offer financial rewards for reporting vulnerabilities at this time.
Questions
If you have any questions about this policy, please get in touch with us at [email protected].
Thank you for helping us keep Tremendous secure!