Security Disclosure Policy
How to report vulnerabilities. We respond within 48 hours.
Scope
| Target | In scope |
|---|---|
| tafkiro.com and all subdomains | ✓ Yes |
| Tafkiro Cloud platform (*.tafkiro.app) | ✓ Yes |
| Tafkiro API (api.tafkiro.com) | ✓ Yes |
| Mobile applications (when published) | ✓ Yes |
| Third-party services (Cal.com, infrastructure providers) | ✗ No |
| Social media accounts | ✗ No |
| Physical infrastructure | ✗ No |
Responsible disclosure
We take security seriously. If you discover a vulnerability in any Tafkiro system, we ask that you report it to us responsibly before public disclosure.
Report vulnerabilities to: [email protected]. Use our PGP key (available at tafkiro.com/security.asc) for sensitive reports.
We commit to: acknowledging your report within 48 hours, providing a status update within 7 days, notifying you when the vulnerability is resolved, and crediting you in our Hall of Fame (if you wish).
What we ask of you
Do not access, modify, or delete data belonging to other users.
Do not perform denial-of-service attacks, automated scanning at high volume, or social engineering of our team.
Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate — we ask for at least 90 days.
Act in good faith. We will not pursue legal action against researchers who follow these guidelines.
Severity and response SLA
Critical (RCE, authentication bypass, mass data exposure): patch target 72 hours.
High (privilege escalation, significant data leakage): patch target 7 days.
Medium (CSRF, stored XSS, insecure direct object reference): patch target 30 days.
Low (information disclosure, rate limiting issues): patch target 90 days.
Security posture
For full details of our security programme — encryption, access controls, penetration testing, SOC 2 status, and incident response — see our Security page.
For our full security programme details, see tafkiro.com/security.