Responsible Disclosure

Tightknit is committed to keeping customer data safe and secure.

We value any inputs from the community to help us detect vulnerabilities.

How to report an issue

If you discover a security vulnerability, please email us at [email protected]

Please include:

• Description of the vulnerability

• Steps to reproduce

• Potential impact

• Any proof-of-concept code (if applicable)

What we expect from you

• Do not execute a Denial of Service (DoS) attack.

• Do not run any automated tools against our servers.

• Do not access or modify data that does not belong to you.

• Do not publicly share the vulnerability details until we have addressed the issue.

What you can expect from us

• We will perform our own risk assessment for every reported vulnerability.

• If your report is not eligible, we will let you know.

• If your report is valid, we will prioritize the issue and inform you once it's fixed.

• We will let you decide whether you want to be publicly acknowledged or not.

In scope

• tightknit.ai

• community.tightknit.ai

• *.tightknit.community (customer community sites)

• app.tightknit.ai

• Customer custom domains

• Tightknit Slack application

Out of scope

• Automated scanning

• Social engineering

• Password brute force

• Clickjacking on pages with no sensitive actions

• Missing security headers (unless you can prove exploitability)

• Security issues only reproducible under highly unlikely conditions (using outdated or exotic web browsers, operating systems, or insecure internet connections)

Known issues

Clickjacking on tightknit.ai

We are aware of a clickjacking vulnerability on tightknit.ai related to Content Security Policy frame-ancestors configuration. This is a known limitation of our Framer-hosted marketing site. Track the issue: Framer Community Discussion

This issue does not affect:

• app.tightknit.ai (our application)

• community.tightknit.ai (customer community sites)

• Tightknit Slack application

Bounty

We will offer a reward that can range from being mentioned in our acknowledgments to receiving a monetary amount, depending on the severity of the security issue and the quality of your report.

Please note that the reward is contingent upon the security issue being both serious and previously unidentified by Tightknit.