Responsible Disclosure Policy
Updated:
Takt welcomes reports from security researchers and members of the public who help us improve the security of our systems and services.
If you believe you have identified a security vulnerability in a Takt-owned system, please let us know at security@takt.io.
Takt does not operate a bug bounty program and does not offer monetary compensation, rewards, or payment for vulnerability reports. Reports are accepted on a voluntary basis.
Scope
This policy applies to internet-facing systems, applications, and services that are owned and operated by Takt.
How to Report
Please send reports to security@takt.io and include as much of the following information as possible:
A clear description of the issue
The affected URL, endpoint, host, or service
Steps to reproduce the issue
Any proof-of-concept material that is necessary to validate the finding
The potential impact of the issue
Your contact information for follow-up questions
The more complete the report, the faster we can review it.
Researcher Guidelines
When conducting research under this policy, we ask that you:
Act in good faith and with the goal of improving security
Avoid disrupting Takt systems, users, or business operations
Avoid privacy violations, data destruction, and service degradation
Access only the minimum data necessary to confirm the issue
Stop testing immediately and notify us if you encounter customer data, personal data, credentials, or other sensitive information
Use only your own test accounts or accounts for which you have explicit permission
Keep information about the issue confidential until Takt has had a reasonable opportunity to investigate and remediate it
Report findings directly to Takt and not through public channels before coordination with us
Prohibited Activities
Under this policy, you must not:
Perform denial of service, resource exhaustion, or other disruptive testing
Use automated high-volume scanning that materially degrades service or generates excessive operational noise
Access, modify, delete, or exfiltrate data that does not belong to you
Attempt social engineering, phishing, physical intrusion, or attacks against Takt personnel, contractors, or vendors
Introduce malware, backdoors, or persistence mechanisms
Chain minor observations into speculative impact claims without a reproducible security issue
Demand payment or attempt to condition disclosure on compensation
Out of Scope
The following are generally out of scope unless they demonstrate a clear, reproducible, and material security impact:
Missing or non-ideal security headers
TLS or cipher configuration concerns without a demonstrated exploit path
SPF, DKIM, or DMARC issues without a demonstrated abuse scenario
Rate limiting observations without a demonstrated security impact
Clickjacking on pages with no sensitive action
Version disclosure, banner disclosure, or fingerprinting only
Best-practice recommendations without an exploitable vulnerability
Reports based solely on automated tooling output without validation
Duplicate reports
Issues in third-party services or systems not owned by Takt
What You Can Expect From Takt
If your report is in scope and contains enough detail for us to investigate, we will:
Review the submission and assess validity
Contact you if we need clarification
Work to remediate confirmed issues according to risk and operational priority
Coordinate with you on disclosure where appropriate
We may not respond to incomplete, automated, duplicate, or non-actionable reports.
Safe Harbor
If you act in good faith, comply with this policy, and make a reasonable effort to avoid harm to users, data, and service availability, Takt will not initiate legal action against you or request law enforcement investigation for accidental, good-faith conduct that is consistent with this policy.
This safe harbor applies only to claims that Takt can bring on its own behalf and does not bind any third party.
If you are unsure whether your planned research is consistent with this policy, contact security@takt.io before proceeding.
Disclosure
We ask that you give us a reasonable opportunity to investigate and address the issue before making any public disclosure.
Contact
All vulnerability reports should be submitted to: