Security
Policy
Last updated · January 2026
TENET takes the security of its systems and the privacy of its users seriously. We welcome responsible disclosure of vulnerabilities and commit to acknowledging, investigating, and resolving valid reports in good faith.
Scope
This policy covers tenet.works and any subdomains operated directly by TENET. Third-party services linked from the site are governed by their own policies.
How to report
Please send encrypted reports to security@tenet.works using the PGP key published at /.well-known/pgp-key.asc.
Include:
- A clear description of the issue and its impact.
- Step-by-step instructions to reproduce.
- Any proof-of-concept code, screenshots, or logs.
- Your preferred contact channel for follow-up.
What we ask of researchers
- Give us reasonable time to investigate and remediate before public disclosure.
- Avoid tests that could degrade service, access user data, or affect other users.
- Do not exploit a vulnerability beyond what is necessary to prove its existence.
- Respect applicable laws and our Terms of Use.
Our commitment
- Acknowledge receipt of your report within 72 hours.
- Provide an initial assessment within 7 business days.
- Coordinate disclosure and credit (if desired) once remediation is complete.
- We will not pursue legal action against researchers who act in good faith under this policy.
Out of scope
- Automated scanner output without demonstrated impact.
- Missing best-practice headers with no practical exploit path.
- Issues requiring physical access, rooted devices, or privileged user co-operation.
- Social engineering of employees or clients.
PLACEHOLDER — replace with final disclosure policy before launch.