How to report a security vulnerability to Typeform

At Typeform our top priority is the safety and security of your data. To encourage responsible reporting of potential security vulnerabilities, we are committed to working with our community to verify, reproduce, and respond to legitimate reports.

Responsible Disclosure Guidelines

We run a Vulnerability Disclosure Program hosted by HackerOne. If you think you've found a bug in Typeform's security, or have a security incident to report, please sign-up to HackerOne and submit a report through the program.

Unfortunately, we're unable to accept reports through any other means.

Please don't publicly disclose the issue until it's been addressed by Typeform. We'll try our best to meet our program's defined action times when triaging the report.

When reporting a vulnerability, please provide as much detail as you can, to help us with validation and reproduction of it. Vulnerabilities must be disclosed to us privately, and should be made in good faith. We will not prosecute people for reporting vulnerabilities, as long as no malicious attempt to compromise other user accounts has been made.