Scope
This policy applies to all TinyBell products and services:- The TinyBell platform at thetinybell.com
- The TinyBell pixel script (pixel-header.js, pixel.css)
- The TinyBell API
- The TinyBell WordPress plugin
How to report
Send your report to info@thetinybell.com with the subject line[SECURITY].
Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Impact assessment (what data or functionality is affected)
- Your contact information for follow-up
What we commit to
| Timeframe | Action |
|---|---|
| 48 hours | Acknowledge receipt of your report |
| 7 days | Provide an initial assessment and severity classification |
| 30 days | Deliver a fix or mitigation for confirmed vulnerabilities |
| 90 days | You may publicly disclose the vulnerability (coordinated disclosure) |
Rules of engagement
- Do not access or modify data belonging to other users
- Do not perform denial-of-service attacks
- Do not use automated scanning tools against production systems without prior approval
- Do not disclose the vulnerability publicly before the coordinated disclosure date
Out of scope
- Social engineering attacks against TinyBell staff
- Physical security issues
- Vulnerabilities in third-party services not operated by TinyBell
- Issues already reported by another researcher
Recognition
We acknowledge security researchers who responsibly disclose valid vulnerabilities. With your permission, we will list your name on this page.CRA compliance
Under the EU Cyber Resilience Act (Regulation EU 2024/2847), TinyBell is required to:- Report actively exploited vulnerabilities to ENISA within 24 hours
- Provide detailed technical notification within 72 hours
- Submit a final report within 1 month