New: tightknit.dev — open source projects from the Tightknit team. Explore

Responsible Disclosure

View as Markdown

Last updated · December 12, 2025

Tightknit takes the security of our users, customers, and systems seriously. We welcome responsible security research and coordinated vulnerability disclosure that helps keep our products and infrastructure safe.

This policy explains how to report security vulnerabilities, what systems are in scope, how we will respond, and the protections we offer to researchers who follow these guidelines.

How to Report a Vulnerability

If you believe you have discovered a security vulnerability affecting Tightknit, please report it as soon as possible.

Contact: security@tightknit.ai

Please include:

  • A clear description of the vulnerability
  • The affected product, service, or URL
  • Steps to reproduce the issue
  • The potential impact and severity
  • Proof-of-concept code or screenshots (if applicable)

Reports that include clear reproduction steps and impact analysis will be prioritized.

Our Commitment to You

When you submit a report that complies with this policy, Tightknit commits to:

  • Acknowledging receipt of your report within 3 business days
  • Providing status updates at least every 14 days while the issue is being investigated
  • Working toward a fix as quickly as possible, based on severity and risk
  • Coordinating disclosure with you before any public release

We value your effort and will treat all reports with respect and confidentiality.

Safe Harbor

If you make a good-faith effort to comply with this policy:

  • We will not pursue legal action against you for your security research
  • We consider your research to be authorized under this policy
  • We will not initiate or support law-enforcement action related to your report

This assurance applies only to research conducted within the scope and rules defined below.

Scope

In Scope

  • tightknit.ai and subdomains
  • Tightknit web applications and APIs
  • Tightknit-owned infrastructure and services

Out of Scope

  • Third-party services or infrastructure not owned by Tightknit
  • Social engineering (phishing, pretexting, etc.)
  • Physical security testing
  • Denial-of-service attacks or traffic flooding
  • Automated vulnerability scanning that degrades service
  • Issues requiring unlikely or impractical user interaction

If you are unsure whether a target is in scope, contact us before testing.

Rules of Engagement

Researchers must:

  • Test only accounts and data you own or have explicit permission to use
  • Avoid accessing, modifying, or deleting other users' data
  • Avoid service disruption or degradation
  • Stop testing and report immediately upon discovering sensitive data

Researchers must not:

  • Use exploits beyond what is necessary to demonstrate impact
  • Pivot to other systems or accounts
  • Publicly disclose the vulnerability before coordination

Vulnerability Handling Process

  1. Submission – You report the issue to security@tightknit.ai
  2. Acknowledgment – We confirm receipt within 3 business days
  3. Triage – We assess severity, scope, and impact
  4. Remediation – We develop and deploy a fix
  5. Disclosure – We coordinate timing and attribution (if desired)

Recognition & Bounties

At our discretion, we may:

  • Publicly acknowledge your contribution
  • Offer a monetary bounty or non-monetary reward

Rewards are based on severity, impact, and report quality. Submission of a report does not guarantee compensation.

Security.txt

We support the industry-standard security.txt file for vulnerability reporting.

You can find it at:

https://tightknit.ai/.well-known/security.txt

Questions

If you have questions about this policy or planned testing, contact us at:

security@tightknit.ai

We appreciate the security community's help in keeping Tightknit safe.