Tilled's security and engineering teams take security bugs in our services and applications very seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contribution(s).

If you identify a security issue, please send an email to the Tilled Security team at:

security@tilled.com

In your email, please provide a detailed proof of concept (POC) and/or evidence clearly outlining the vulnerability and security impact of the issue. Please include the string "Tilled SDK Vulnerability" in the subject line. If you have a HackerOne account, feel free to include your H1 username or associated email address and we'll also invite you to our private Bug Bounty program. While our SDKs are not explicitly in scope for our Bug Bounty program, if the bug or issue impacts other downstream assets or we make changes to our core services (APIs, Web Applications, etc.) based on your report, we may award a bounty.

Note: A HackerOne account and report submission to our program is required to receive any bounty award. We will not award a bounty unless it is through that program and complies with our program policy and HackerOne's policies.

Tilled's information security team will send a response outlining any next steps necessary in handling your report. After the initial reply to your report, we'll keep you informed of the progress towards a fix and/or disclosure (if applicable) and may ask for additional information or guidance regarding the issue.

NOTE: Please report security bugs in any third-party modules, libraries, and/or dependencies to the person, organization, or team that owns and/or supports those resources.