At Typeform our top priority is the safety and security of your data. To encourage responsible reporting of potential security vulnerabilities, we are committed to working with our community to verify, reproduce, and respond to legitimate reports.
Responsible Disclosure Guidelines
Our security team investigates all reported security issues as quickly as possible. If you think you’ve found a bug in Typeform’s security, or have a security incident to report, please get in touch using this typeform, or email us at firstname.lastname@example.org. If you want to encrypt your communications with us, please use our PGP public key – KeyID: AB2AE591.
We run an invite-only Bug Bounty program. So, when contacting us, please mention the email where you would like to receive the invitation. Once you've received the invitation you can specify all the details in the Bug Bounty platform.
Please don’t publicly disclose the issue until it has been addressed by Typeform. We'll try our best to meet our program's defined action times when triaging the report.
When reporting a vulnerability, please provide as much detail as you can, to help us with validation and reproduction of it. Vulnerabilities must be disclosed to us privately, and should be made in good faith. We will not prosecute people for reporting vulnerabilities, as long as no malicious attempt to compromise other user accounts has been made.
We understand the hard work that goes into security research. We’ll show our appreciation in the best way we can, based on the effort needed, criticality of the issue, and the responsible disclosure of the potential vulnerability.