Responsible disclosure & incident response

We take security reports seriously and we want to make it easy to tell us about a problem. This page explains how to report a vulnerability and what we commit to in return.

Last updated: 2026-06.

Reporting a vulnerability

If you believe you've found a security vulnerability in Twinbook, please email [[email protected]] (update to your real address) with:

  • a description of the issue and where you found it,
  • steps to reproduce (a proof of concept is helpful),
  • the potential impact as you see it, and
  • any suggested remediation.

Please report promptly and give us a reasonable opportunity to fix the issue before any public disclosure.

Rules of engagement

To keep testing safe for our users, please:

  • Only test against your own accounts and data. Do not access, modify, or exfiltrate other users' data.
  • Do not run denial-of-service attacks, spam, or large-scale automated scanning that could degrade the service for others.
  • Do not use social engineering, physical attacks, or attacks against our staff or vendors.
  • Stop and report as soon as you've demonstrated a vulnerability — you don't need to prove impact by pivoting further.

Our commitments to you

When you report in good faith under these rules, we commit to:

  • Acknowledge your report within a few business days.
  • Investigate and keep you updated on our assessment and remediation timeline.
  • Not pursue legal action against good-faith research that follows this policy.
  • Credit you (with your permission) once the issue is resolved, if you'd like recognition.

Incident response

If a security incident affects user data, we commit to:

  • Contain and investigate promptly using our logs and monitoring.
  • Notify affected users and institutional customers as required by law and by our agreements, with the facts as we understand them and the steps we're taking.
  • Remediate the root cause and apply preventive measures.

Institutional customers under a signed agreement receive incident-notification terms (including timelines and points of contact) as part of that agreement.

Scope

In scope: the Twinbook web and mobile apps, the Twinbook API, and our admin surface. Out of scope: third-party services we rely on (report those to the respective provider — see Subprocessors), and findings that require a compromised device or already-privileged account.

Thank you for helping keep Twinbook and its learners safe.