How to report a security vulnerability to Typeform

At Typeform our top priority is the safety and security of your data. To encourage responsible reporting of potential security vulnerabilities, we are committed to working with our community to verify, reproduce, and respond to legitimate reports.

Responsible Disclosure Guidelines

We run an invitation-only Bug Bounty program. If you think you’ve found a bug in Typeform’s security, or have a security incident to report, please email us at security@typeform.com and mention the email address where you would like to receive the invitation.

Once you’ve received the invitation, you can specify all the details in the Bug Bounty platform.
Our security team investigates all reported security issues as quickly as possible.

Please don’t publicly disclose the issue until it has been addressed by Typeform. We'll try our best to meet our program's defined action times when triaging the report.

When reporting a vulnerability, please provide as much detail as you can, to help us with validation and reproduction of it. Vulnerabilities must be disclosed to us privately, and should be made in good faith. We will not prosecute people for reporting vulnerabilities, as long as no malicious attempt to compromise other user accounts has been made.

We understand the hard work that goes into security research. We’ll show our appreciation in the best way we can, based on the effort needed, criticality of the issue, and the responsible disclosure of the potential vulnerability.