Security & Vulnerability Reporting

If you discover a security vulnerability in TenderPath, please report it to us directly before disclosing it publicly. This gives us the opportunity to investigate and address the issue without exposing users to unnecessary risk.

• A description of the vulnerability and the potential impact.
• Steps to reproduce the issue or a proof-of-concept.
• The affected URL, endpoint, or component.
• Your contact details (optional, but helpful if we need to follow up).

• We will acknowledge your report within 5 business days.
• We will investigate and aim to keep you informed of our progress.
• We do not currently operate a formal bug bounty programme.

TenderPath targets a monthly uptime of 99.5% for its core production service, measured per calendar month and excluding scheduled maintenance, emergency maintenance, force majeure events, and third-party service failures (Vercel, Neon, Stripe, Resend, Cloudflare). This commitment does not extend to support response or resolution timelines.

We ask that you:

• Do not access, modify, or exfiltrate user data beyond what is needed to demonstrate the vulnerability.
• Do not perform denial-of-service attacks or disrupt service availability.
• Give us reasonable time to investigate and respond before public disclosure.
• Act in good faith throughout the process.

We commit to not pursuing legal action against researchers acting in good faith under these guidelines.

In scope: tenderpath.me, tenderpath.co, and associated API endpoints.

Out of scope: third-party services we use (Stripe, Vercel, Resend, Cloudflare). Please report vulnerabilities in those services directly to those providers.

For general security questions: info@tenderpath.me