entrello

Last updated: March 2026

Our Commitment

At Entrello, we take the security of our products and the privacy of our users seriously. We welcome reports from security researchers and the broader community who help us identify and resolve vulnerabilities responsibly. If you believe you have found a security vulnerability in any of our products, we encourage you to let us know as soon as possible. We will investigate all legitimate reports and do our best to quickly address the issue.

Scope

The following assets are in scope for responsible disclosure:

Asset	Description
entrello.app	Web application
iOS App	Entrello on the Apple App Store
Android App	Entrello on Google Play
API	All endpoints under entrello.app/api
Backend infrastructure	Servers, databases, and cloud services operated by Entrello

Out of scope:

Third-party services and tools we use but do not control
Vulnerabilities requiring physical access to a device
Social engineering attacks targeting our staff
Denial of service (DoS/DDoS) attacks
Automated scanner output without proof of exploitability

How to Report

Please submit vulnerability reports by email to:

sec@entrello.app

For sensitive reports, please encrypt your message using our PGP key: https://www.entrello.app/.well-known/pgp-key.txt

Your report should include:

A description of the vulnerability and its potential impact
Step-by-step reproduction instructions
Any relevant screenshots, logs, or proof-of-concept code
The affected asset and URL/endpoint (if applicable)

What to Expect From Us

Milestone	Timeframe
Acknowledgement of your report	Within 72 hours
Confirmation of validity	Within 7 days
Status update on remediation	Every 14 days
Resolution of critical issues	Within 7 days of confirmation
Resolution of high severity issues	Within 30 days of confirmation

We will keep you informed throughout the process and notify you when the vulnerability has been resolved.

Safe Harbour

Entrello will not take legal action against researchers who:

Act in good faith and follow this policy
Avoid accessing, modifying, or deleting data that does not belong to them
Do not exploit a vulnerability beyond what is necessary to demonstrate it
Do not disclose the vulnerability publicly before we have had a reasonable opportunity to address it
Do not disrupt or degrade our services during testing

We consider responsible security research conducted under these guidelines to be authorised activity and will work with researchers rather than against them.

Coordinated Disclosure

We ask that you give us a reasonable amount of time to resolve a reported issue before public disclosure. We aim to resolve critical vulnerabilities within 7 days and will coordinate a disclosure timeline with you.

If we are unable to resolve an issue within 90 days, we support your right to publish your findings, and we will work with you on the timing.

Recognition

While we do not currently operate a bug bounty programme, we are happy to publicly acknowledge researchers who report valid vulnerabilities.

Vulnerability Disclosure Policy