Security<br>Policy

This policy covers <strong>tenet.works</strong> and any subdomains operated directly by TENETWORKS. Third-party services linked from the site are governed by their own policies.

• The tenet.works Website and all associated subdomains operated directly by TENETWORKS.
• Application-layer components, APIs, and web services forming part of TENETWORKS's own digital infrastructure.
• TENETWORKS's authentication systems, session management, and access-controlled areas.
• Data storage and processing systems operated by or on behalf of TENETWORKS.

This Policy does not cover:

• Third-party services, platforms, and tools linked from the Website but not operated by TENETWORKS.
• Client-operated systems, platforms, or digital products produced as Deliverables for Clients.
• Systems of TENETWORKS's subprocessors and infrastructure providers.

Please send encrypted reports to <a class="contact" href="mailto:security@tenet.works">security@tenet.works</a> using the PGP key published at <a href="/.well-known/pgp-key.asc" style="color:var(--accent);border-bottom:1px solid var(--accent);">/.well-known/pgp-key.asc</a>.

2.1 Infrastructure Security

• A clear description of the issue and its impact.
• Step-by-step instructions to reproduce.
• Any proof-of-concept code, screenshots, or logs.
• Your preferred contact channel for follow-up.

2.2 Access Security

• Access to TENETWORKS's administrative systems is controlled through role-based access permissions and multi-factor authentication for all privileged accounts.
• Credentials are managed through enterprise-grade password management systems. Default credentials are not used on any deployed system.
• Access rights are reviewed and revoked promptly upon changes in personnel status or role.

2.3 Dependency and Supply Chain Security

• Third-party software dependencies used in TENETWORKS's systems are monitored for known security vulnerabilities and updated on a risk-prioritised basis.
• Open-source components are selected from maintained, reputable projects. Unmaintained or high-risk dependencies are replaced as identified.
• Third-party subprocessors and infrastructure vendors are assessed for security compliance as part of the onboarding process.

2.4 Monitoring and Incident Response

• TENETWORKS maintains logging and monitoring capabilities to detect anomalous access patterns, potential intrusion attempts, and security-relevant events.
• A documented incident response procedure governs TENETWORKS's response to confirmed or suspected security incidents, including containment, assessment, remediation, and notification steps.
• In the event of a confirmed Personal Data breach meeting the reporting threshold under applicable law, TENETWORKS will notify the relevant supervisory authority and affected individuals within the timeframes required by applicable law.

TENETWORKS operates a responsible vulnerability disclosure programme through which security researchers may report suspected vulnerabilities in TENETWORKS's systems in good faith. TENETWORKS is committed to receiving, acknowledging, investigating, and resolving valid security reports in a transparent and collaborative manner.

TENETWORKS does not operate a paid bug bounty programme at this time. Disclosure is governed by the principles of coordinated vulnerability disclosure (CVD) as recommended by internationally recognised cybersecurity standards bodies, including ISO/IEC 29147.

To report a suspected security vulnerability in TENETWORKS's systems, please submit your report by encrypted email to:

security@tenet.works

Where available, please encrypt your report using the PGP public key published at /.well-known/pgp-key.asc.

Your report should include, to the extent practicable:

• Acknowledge receipt of your report within <strong>72 hours</strong>.
• Provide an initial assessment within <strong>7 business days</strong>.
• Coordinate disclosure and credit (if desired) once remediation is complete.
• We will not pursue legal action against researchers who act in good faith under this policy.
• Your assessment of the potential severity and exploitability of the vulnerability, including any relevant CVSS score if calculated.
• Your preferred contact channel for follow-up communications.
• Whether you wish to be credited publicly upon remediation and disclosure, and if so, the name or handle under which you wish to be credited.

Reports may be submitted anonymously. However, anonymous reporters will be unable to receive direct follow-up communications regarding the resolution of the report.

TENETWORKS asks that all security researchers engaging with this disclosure programme adhere to the following principles of responsible conduct. Compliance with these principles is a condition of TENETWORKS's commitment not to pursue legal action against good-faith researchers.

• Coordinated Disclosure: Provide TENETWORKS with a reasonable and proportionate period to investigate and remediate the vulnerability before disclosing it publicly. TENETWORKS's standard remediation window is ninety (90) calendar days from the date of acknowledgement.
• Minimum Necessary Access: Limit testing and exploitation to the minimum extent necessary to establish and demonstrate the vulnerability's existence. Do not extract, copy, modify, delete, or exfiltrate any user data beyond what is minimally necessary to confirm the vulnerability.
• No Service Disruption: Do not conduct any testing that is designed or likely to degrade, interrupt, or destabilise the availability of the Website or TENETWORKS's systems, including denial-of-service or distributed denial-of-service testing.
• No Targeting of Third Parties: Restrict testing exclusively to systems within the scope defined in Section 01. Do not attempt to access, exploit, or disclose vulnerabilities in third-party systems, Client systems, or subprocessor infrastructure.
• No Social Engineering: Do not attempt to compromise TENETWORKS's systems or personnel through social engineering, phishing, pretexting, or physical access methods.
• Legal Compliance: Conduct all research and testing in compliance with applicable laws in your jurisdiction. This programme does not authorise any conduct that would constitute a criminal offence under applicable law.
• Confidentiality: Treat information about an identified vulnerability as strictly confidential until TENETWORKS has confirmed remediation and agreed a disclosure date.

In respect of reports submitted and conduct undertaken in compliance with this Policy, TENETWORKS commits to the following:

In addition, TENETWORKS commits to:

• Engaging with researchers in good faith, providing substantive updates on report status as investigations progress.
• Not pursuing legal action against researchers who have acted in compliance with this Policy, discovered a valid in-scope vulnerability, and reported it through the designated channel without exploiting it beyond demonstration of existence.
• Crediting researchers publicly upon request in any security advisory or public disclosure relating to the reported vulnerability, subject to researcher consent.
• Maintaining the confidentiality of the researcher's identity and report details to the extent consistent with TENETWORKS's legal obligations.

TENETWORKS's commitment not to pursue legal action is conditional on the researcher's compliance with Section 05 and does not extend to conduct that violates applicable criminal law regardless of intent.

The following categories of issues are considered out of scope for this vulnerability disclosure programme:

• Automated scanner output submitted without accompanying manual analysis, exploitation demonstration, or assessed impact relevant to TENETWORKS's systems.
• Missing HTTP security headers where no practical, demonstrated exploitation path affecting real user data or system integrity is presented.
• SSL/TLS configuration issues that do not affect supported, current-generation browser connectivity and where no practical attack vector against current clients is demonstrated.
• Absence of security best practices where no demonstrated exploitability or material user harm is shown.
• Vulnerabilities requiring physical access to a device, local network access, a rooted or jailbroken device, or the active cooperation of a privileged user.
• Social engineering, phishing, or pretexting attacks targeting TENETWORKS personnel.
• Denial-of-service vulnerabilities that rely on volumetric network-level flooding rather than application-layer logic flaws.
• Vulnerabilities in third-party services, platforms, or software not operated by TENETWORKS.
• Content injection issues where the injected content cannot execute in the context of any other user's browser session.
• Reports relating to activities that are themselves violations of applicable law.

This Security Policy and the vulnerability disclosure programme operate within and do not supersede applicable cybersecurity, computer misuse, and data protection legislation in any jurisdiction. Relevant applicable frameworks include, without limitation:

• UAE Federal Law No. 34 of 2021 on Combating Rumours and Cybercrimes and related UAE cybersecurity regulations.
• UK Computer Misuse Act 1990, as amended.
• India's Information Technology Act 2000 and applicable cybersecurity rules.
• US Computer Fraud and Abuse Act (CFAA), to the extent applicable to activities affecting systems accessible from the United States.
• EU Network and Information Security Directive (NIS2 Directive) principles, where applicable.
• Applicable data protection legislation in all jurisdictions from which research activities are conducted, including GDPR, UK GDPR, and UAE PDPL.

Nothing in this Policy constitutes legal advice, an authorisation to conduct activities that violate applicable law, or a waiver of TENETWORKS's legal rights in connection with unlawful conduct.

For all security reports and security-related enquiries: security@tenet.works