Security

Security Policy

How to responsibly report security vulnerabilities to Entrello

Last updated: April 2026

Our Commitment

At Entrello, we take the security of our products and the privacy of our users seriously. We welcome reports from security researchers and the broader community who help us identify and resolve vulnerabilities responsibly. If you believe you have found a security vulnerability in any of our products, we encourage you to let us know as soon as possible. We will investigate all legitimate reports and do our best to quickly address the issue.

Scope

The following assets are in scope for responsible disclosure:

AssetDescription
entrello.appWeb application
iOS AppEntrello on the Apple App Store
Android AppEntrello on Google Play
APIAll endpoints under entrello.app/api
Backend infrastructureServers, databases, and cloud services operated by Entrello

We welcome reports on vulnerabilities that demonstrate a concrete impact on the confidentiality, integrity, or availability of our systems or user data. Examples include authentication bypasses, injection flaws, unauthorised data access, and privilege escalation. A working proof of concept is required.

Activities that are not authorised:

  • Testing third-party services and tools we use but do not control
  • Attacks requiring physical access to a device or our offices
  • Social engineering of our staff, customers, or partners
  • Denial of service, volumetric, or load testing of any kind

Findings that generally do not qualify:

  • Missing or misconfigured HTTP security headers (CSP, HSTS, X-Frame-Options, etc.) without a demonstrated exploit
  • TLS or SSL configuration preferences (cipher suites, protocol versions) without a concrete attack
  • SPF, DKIM, or DMARC findings on domains that do not send email
  • Generic output from automated scanners (Nuclei, Nessus, Burp, ZAP, etc.) without a working proof of concept
  • Self-XSS, or XSS that requires a victim to paste payloads into their own browser console
  • Clickjacking on pages without sensitive state-changing actions
  • Open redirects without additional security impact
  • Software version disclosure, banner grabbing, or fingerprinting
  • Missing rate limits on endpoints that do not handle authentication or sensitive actions
  • Theoretical issues without a demonstrated exploit path

Reports that consist solely of items in the lists above, or that are mass-mailed from automated scanners, may be closed without a substantive response.

How to Report

Please submit vulnerability reports by email to:

sec@entrello.io

For sensitive reports, please encrypt your message using our PGP key: https://www.entrello.app/.well-known/pgp-key.txt

Your report should include:

  • A description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions
  • Any relevant screenshots, logs, or proof-of-concept code
  • The affected asset and URL/endpoint (if applicable)

What to Expect From Us

MilestoneTimeframe
Acknowledgement of your reportWithin 5 business days
Confirmation of validityWithin 14 days
Status update on remediationEvery 14 days
Resolution of critical issuesAs quickly as practicable
Resolution of high severity issuesWithin a coordinated timeline

We will keep you informed throughout the process and notify you when the vulnerability has been resolved.

Safe Harbour

Entrello will not take legal action against researchers who:

  • Act in good faith and follow this policy
  • Avoid accessing, modifying, or deleting data that does not belong to them
  • Do not exploit a vulnerability beyond what is necessary to demonstrate it
  • Do not disclose the vulnerability publicly before we have had a reasonable opportunity to address it
  • Do not disrupt or degrade our services during testing

We consider responsible security research conducted under these guidelines to be authorised activity and will work with researchers rather than against them. This authorisation does not extend to research that violates applicable law, accesses or modifies data that does not belong to you, degrades the service for others, or demands payment in exchange for findings.

Coordinated Disclosure

We ask that you give us a reasonable amount of time to resolve a reported issue before public disclosure. We will agree on a disclosure timeline together based on the severity and complexity of the fix.

If we are unable to resolve an issue within 90 days, we support your right to publish your findings, and we will work with you on the timing.

Recognition

We do not currently operate a paid bug bounty programme. By submitting a report, you acknowledge that any reward is at our discretion, that you have no expectation of payment, and that you waive any future claim for compensation. Demands for payment in exchange for vulnerability information are not in scope of this policy and will not be entertained.

We are happy to publicly acknowledge researchers who report valid, in-scope vulnerabilities, on request.

Contact

Email: sec@entrello.io

PGP Key: https://www.entrello.app/.well-known/pgp-key.txt

security.txt: https://www.entrello.app/.well-known/security.txt