Responsible Disclosure Policy

Retently welcomes reports from security researchers who identify vulnerabilities in our products and infrastructure. This page describes how to submit a report, what we commit to in return, and what is and isn’t in scope.

How to Report

Email [email protected] with the following:

  • A clear description of the issue and its impact
  • Steps to reproduce, including affected URLs, parameters, and accounts
  • Any relevant logs, screenshots, or proof-of-concept code
  • Your name or handle if you would like to be considered for acknowledgment

We review every report manually and aim to acknowledge new submissions within two business days.

Our Commitments

When you submit a valid report in good faith, we will:

  • Acknowledge receipt and assign someone to investigate
  • Keep you informed as we triage, fix, and deploy
  • Not pursue legal action against researchers who follow this policy

Rewards and Acknowledgment

Retently does not operate a paid bug bounty program and does not offer monetary rewards. At our discretion, we may publicly acknowledge researchers whose reports lead to a deployed fix. This is not guaranteed and is granted case by case.

Coordinated Disclosure

By submitting a report, you agree to allow Retently a reasonable time to remediate before any public disclosure. We expect at minimum 90 days of confidential coordination from the date of receipt before any researcher publishes details.

Out of Scope

The following are not in scope and reports limited to these categories will be closed without further action:

  • Missing or misconfigured security headers (CSP, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy)
  • SPF, DKIM, or DMARC configuration findings
  • Open redirects without demonstrated impact
  • Email or username enumeration
  • CORS misconfigurations without a working exploit
  • Output from automated scanners with no manual verification
  • Self-XSS or vulnerabilities requiring physical access to a victim’s device
  • Rate limiting or brute force on non-critical endpoints
  • Theoretical issues with no working proof of concept
  • Social engineering of Retently staff, customers, or vendors
  • Denial of service or volumetric attacks
  • Reports based solely on outdated software banners without a demonstrated exploit

Safe Harbor

We will not pursue or support legal action against researchers who:

  • Make a good-faith effort to follow this policy
  • Do not access, modify, or delete data belonging to other users
  • Do not degrade service availability for other users
  • Do not publicly disclose details before we have had a reasonable opportunity to remediate