Keeping customer data safe and secure is a huge responsibility and our top priority. We work hard to protect our customers from the latest threats so your input and feedback on our security is always appreciated.
Reporting security problems
We are happy to work with security researchers, we acknowledge the positive work they do on making the internet a safe place to work. If you discover a flaw in our security that could impact Timetastic or our customers then please let us know by contacting our support team.
We read all requests and will get back to you as soon as we can, usually within 24 hours.
The following security issues are currently not in scope (please don’t report them):
Volumetric vulnerabilities (i.e. simply overwhelming our service with a high volume of requests).
- TLS configuration weaknesses (e.g. "weak" ciphersuite support, TLS1.0 support, sweet32 etc.)
- Reports of non-exploitable vulnerabilities.
- Reports indicating that our services do not fully align with "best practice" e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc) or suboptimal email related configuration (SPF, DMARC etc).
Dealing with security reports
We’ll investigate the issue and determine how it impacts Timetastic. We won’t disclose issues until our investigation is finished, but we’ll work with you to ensure we fully understand the issue.
Once the issue is resolved, we’ll post a security update on our changelog and, if you wish, a thanks and credit for the discovery.