Security Policy
Last Updated: February 27, 2026
1. Commitment to Security
TenantFlow handles sensitive property management data including financial transactions, lease agreements, and personal information. We take the security of our platform seriously and appreciate the work of security researchers who help us maintain the safety of our users.
This policy outlines how to report security vulnerabilities responsibly and what you can expect from us in return.
2. Reporting a Vulnerability
If you discover a security vulnerability, please report it to us by email:
- Email: security@tenantflow.app
- Encrypt sensitive details using our PGP public key
Please include the following in your report:
- A clear description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Any relevant URLs, screenshots, or proof-of-concept code
- Your contact information for follow-up questions
3. Response Timeline
- Acknowledgment: We aim to acknowledge your report within 24 hours.
- Assessment: We will assess the severity and provide an initial response within 72 hours.
- Resolution: Critical and high-severity issues are prioritized for immediate remediation. We will keep you informed of our progress.
- Disclosure: We follow a 90-day coordinated disclosure timeline. We will work with you to agree on a public disclosure date after the fix has been deployed.
4. Scope
4.1 In Scope
- tenantflow.app and all subdomains
- Authentication and authorization vulnerabilities
- Data validation and injection attacks (SQL injection, XSS, CSRF, SSRF)
- Remote code execution
- Privilege escalation
- Information disclosure (PII, financial data, credentials)
- Row Level Security bypass in database access
- Payment processing vulnerabilities (Stripe integration)
- Edge Function and API endpoint security issues
4.2 Out of Scope
- Social engineering attacks against employees or users
- Physical security issues
- Denial of service (DoS/DDoS) attacks
- Spam or content injection without security impact
- Issues requiring extensive or unlikely user interaction
- Vulnerabilities in third-party services (Stripe, Supabase, Vercel) — please report directly to those providers
- Outdated software versions without a demonstrated exploit
- Missing security headers that do not lead to a direct vulnerability
5. Safe Harbor
We consider security research conducted in accordance with this policy to be authorized, and we will not pursue legal action against researchers who:
- Act in good faith and follow this disclosure policy
- Avoid accessing, modifying, or deleting data belonging to other users
- Do not disrupt or degrade the service for other users
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Report vulnerabilities promptly and do not publicly disclose before coordination with us
If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take reasonable steps to make it known that your actions were authorized under this program.
6. Recognition
We value the contributions of security researchers. With your permission, we will acknowledge your contribution after the issue has been resolved. We do not currently offer monetary bounties, but we are open to discussing this for critical findings.
7. Contact
For security-related inquiries, contact us at security@tenantflow.app.
For general support, visit our Support Center or email support@tenantflow.app.