How Nine·Tails handles your data, and the responsible-disclosure process for reporting a vulnerability.
Pre-launch. The disclosure process below is live now. Once we publish a public-facing report-and-track tool (or sign on with a coordinated-disclosure platform), we'll update this page and link the canonical channel here.
If you've found a security issue in Nine·Tails — credentials exposure, broken access control, injection, anything — please write to hello@ninetailsagency.com with:
We aim to acknowledge every report within one business day and to share an initial assessment within five business days. We won't pursue legal action against good-faith researchers reporting in good faith.
The full text lives in Privacy Policy, but the short version:
The current list is in Privacy §5 and the formal DPA Appendix A. We notify customers in advance of new subprocessors via email and an in-product banner.
In the event of a confirmed breach affecting Customer Data, we notify the affected customer within 72 hours of confirming the incident. Notification includes the scope, the data categories involved, the remediation steps taken, and the steps we're recommending the customer take.
We don't run a paid bounty program at this time. We're a small team. If you find something significant, we'll thank you publicly (with your permission), credit you in the changelog, and — when we're financially able — settle up properly.
Security questions, disclosures, audit requests — write to hello@ninetailsagency.com.