Responsible disclosure policy
We take the security of Tickin and our customers' data seriously. If you believe you've found a vulnerability, we want to hear from you and we'll work with you to resolve it.
How to report
Email security@tickin.pro with a description of the issue, the steps to reproduce it, and any proof-of-concept. Please give us reasonable time to investigate and fix the issue before any public disclosure.
Expected response time
We aim to acknowledge your report within 3 business days and to provide an assessment or status update within 10 business days. Timelines to a fix depend on severity and complexity; we'll keep you informed.
Scope
- tickin.pro and its subdomains (app, api)
- The Tickin Slack and Microsoft Teams integrations
- Authentication, authorization, and tenant-isolation issues
- Data exposure, injection, and similar application vulnerabilities
Out of scope
- Denial-of-service (DoS/DDoS) and volumetric attacks
- Social engineering, phishing, or physical attacks against staff or offices
- Automated scanner output without a demonstrated, exploitable impact
- Best-practice/reporting issues with no security impact (e.g. missing headers on non-sensitive pages)
- Vulnerabilities in third-party services we use (report those to the vendor)
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, will not pursue or support legal action against you, and will work with you to understand and resolve the issue quickly. Please do not access or modify data that isn't yours, and don't degrade the service for others.
No bug bounty
We do not currently operate a paid bug-bounty program. This is a coordinated, responsible-disclosure policy only. We're grateful for reports and, with your permission, are happy to acknowledge your contribution.
See also our security overview. Machine-readable contact: /.well-known/security.txt.