> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thetinybell.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Vulnerability Disclosure Policy

> How to report security vulnerabilities in TinyBell.

## Scope

This policy applies to all TinyBell products and services:

* The TinyBell platform at thetinybell.com
* The TinyBell pixel script (pixel-header.js, pixel.css)
* The TinyBell API
* The TinyBell WordPress plugin

## How to report

Send your report to **[info@thetinybell.com](mailto:info@thetinybell.com)** with the subject line `[SECURITY]`.

Include:

1. **Description** of the vulnerability
2. **Steps to reproduce** the issue
3. **Impact assessment** (what data or functionality is affected)
4. **Your contact information** for follow-up

## What we commit to

| Timeframe | Action                                                               |
| --------- | -------------------------------------------------------------------- |
| 48 hours  | Acknowledge receipt of your report                                   |
| 7 days    | Provide an initial assessment and severity classification            |
| 30 days   | Deliver a fix or mitigation for confirmed vulnerabilities            |
| 90 days   | You may publicly disclose the vulnerability (coordinated disclosure) |

## Rules of engagement

* Do not access or modify data belonging to other users
* Do not perform denial-of-service attacks
* Do not use automated scanning tools against production systems without prior approval
* Do not disclose the vulnerability publicly before the coordinated disclosure date

## Out of scope

* Social engineering attacks against TinyBell staff
* Physical security issues
* Vulnerabilities in third-party services not operated by TinyBell
* Issues already reported by another researcher

## Recognition

We acknowledge security researchers who responsibly disclose valid vulnerabilities. With your permission, we will list your name on this page.

## CRA compliance

Under the EU Cyber Resilience Act (Regulation EU 2024/2847), TinyBell is required to:

* Report actively exploited vulnerabilities to ENISA within **24 hours**
* Provide detailed technical notification within **72 hours**
* Submit a final report within **1 month**

This vulnerability disclosure policy is part of our CRA compliance program. We maintain this channel as required by Article 13(6) of the CRA.
