Responsible Disclosure Program

Thank you for helping keep Tenor and our users secure!

Why We Have This Page

Security researchers, customers, and curious hackers can help us identify potential weaknesses before bad actors do. This public-facing page explains how to report a vulnerability safely and what you can expect from us in return. 

Scope

In scope

  • Any publicly reachable Tenor service, API, or sub‑domain
  • Mobile and web apps published by us
  • Cloud infrastructure we directly control (e.g., AWS resources hosting our products)

Out of scope:

  • Social‑engineering or physical attacks
  • Denial‑of‑Service (DoS), spam/flood, or rate‑limit/brute‑force tests
  • Vulnerabilities in third‑party platforms unless they directly risk Tenor data or users
  • Clickjacking/UI‑redressing on pages with no authenticated or sensitive action
  • Missing or weak HTTP security headers alone (e.g., X‑Frame‑Options, CSP)
  • Automated scanner results with no working proof‑of‑concept
  • Low‑impact config gaps

How to Report & Safe‑Harbor

Send your findings to security@tenorhq.com (attachments ≤ 20 MB) and include:

  • Descriptive title and affected asset/URL
  • Step‑by‑step reproduction instructions or working proof‑of‑concept code
  • Expected vs. actual behaviour and potential impact
  • Your contact info for follow‑up and recognition credit

Safe‑Harbor: Our Promise

  1. Test only within the scope above.
  2. Use only accounts and data you personally control—don’t access other users’ info.
  3. Do not leak, modify, or delete data. Stop testing and tell us immediately if you encounter personal data.
  4. We give you safe‑harbor: follow these rules and we won’t take legal action or involve law‑enforcement.
  5. Give us 90 days to remediate before you publish details (coordinated disclosure).

Reports without a reproducible proof‑of‑concept or clear security impact may be closed as Informational.

What Happens Next

  1. Acknowledge – We email you within 2 business days with a ticket ID.
  2. Assessment – Within 5 business days we assign a severity rating and outline next steps.
  3. Remediation – We work to fix Critical and High issues within policy timelines (7/30 days) and keep you updated at least every 30 days.
  4. Credit & Disclosure – Once fixed we’ll ask if you’d like public recognition on our Responsible Disclosure page and, if agreed, publish a short advisory.

Recognition

  • Listing on our Tenor Responsible Disclosure Hall‑of‑Fame for valid, non‑duplicate reports
  • Swag pack (stickers, T‑shirt) for Medium‑or‑higher severities
  • No monetary bounties at launch – we may introduce them later

Rules for Testers (Read Before Hacking)

  • One report, one researcher – Only the first clear, reproducible report of an issue is eligible for recognition; later duplicates are closed as Duplicate.
  • No automated scanning or rate‑limit/brute‑force testing that could degrade the service.
  • No social‑engineering, phishing, or physical‑security testing.
  • Keep it secret for now – Do not publicly share details until we confirm the fix or 90 days have passed, whichever comes first.

Still need help? Contact Us Contact Us