Security & Responsible Disclosure

Last updated: April 2026

We take security personally.

TinyX is built by security-aware folks. This isn't a side project that happens to have encryption — security is the product. Our infrastructure runs on Cloudflare Workers with zero-knowledge encryption, and we treat every vulnerability report like it's our own systems on the line. Because it is.

Reporting a vulnerability

Found something? Don't sit on it. Email security@tinyx.co with:

• A clear description of the vulnerability
• Steps to reproduce (the more detail, the faster we move)
• The potential impact as you understand it
• Your contact information (so we can follow up)

Use our security.txt for PGP-encrypted communication if you prefer.

What we promise

• Acknowledgement within 24 hours. We'll confirm we received your report and assign someone to it.
• Triage within 72 hours. We'll assess severity, confirm the issue, and give you a timeline.
• No legal threats. If you follow this policy, we will not pursue legal action against you. Ever.
• Credit where it's due. Unless you prefer anonymity, we'll publicly credit you for the find.
• Direct communication. No ticket systems, no support bots. You talk to the people who fix the code.

Scope — what's in

• Authentication and authorisation bypasses
• Cross-site scripting (XSS), injection attacks
• Server-side request forgery (SSRF)
• Encryption implementation flaws
• Data exposure or leakage
• Privilege escalation between tiers or roles
• Webhook or API abuse vectors
• Session management issues
• Any bypass of link expiration, download limits, or access controls

Scope — what's out

• Social engineering or phishing of our team
• Denial of service (DoS/DDoS) attacks — don't test these, just report the theory
• Issues in third-party services (Stripe, Cloudflare, Resend) — report those to them directly
• Missing security headers that don't lead to a demonstrable exploit
• Self-XSS or issues requiring physical access to a user's device
• Automated scanner output without a verified exploit

Bug bounty

We don't run a formal bounty programme with fixed payouts. But we do reward good-faith researchers who find real issues. The form varies — sometimes it's cash, sometimes it's a lifetime Pro/Max account, sometimes it's a public shoutout and a reference. It depends on severity and impact.

What we can guarantee: if you find something real and report it responsibly, we won't ignore you, and we won't be cheap about it.

Rules of engagement

• Don't access other users' data. Create your own test accounts. If you accidentally access someone else's data, stop immediately and report it.
• Don't disrupt the service. No load testing on production. No deleting other people's files. No brute-forcing rate limits.
• Don't go public before we fix it. Give us reasonable time to patch. We move fast — usually within days, not months.
• One vulnerability per report. Don't chain 5 issues into one email and call it a day. Each issue gets its own report.

Testing scope

Test against your own accounts, files, and links only — never another user's data. Keep automated traffic reasonable (no load/stress testing, no denial-of-service). The Abuse Policy applies in full while testing. Found something? Email security@tinyx.co — no forms, no chatbots, just email.

Our security stack

• Infrastructure: Cloudflare Workers (edge compute, no origin server), D1 (SQLite at the edge), R2 (object storage)
• Encryption: AES-256-GCM, client-side (browser), PBKDF2 key derivation with 100,000 iterations
• Authentication: HMAC-SHA256 JWTs, bcrypt password hashing, CSRF protection
• Transport: TLS 1.3 enforced, HSTS, no mixed content
• Billing: Stripe handles all payment data — we never see card numbers

Questions? security@tinyx.co. No forms. No chatbots. Just email.

Release notes

For a running log of what we've shipped, see /changelog.md.

Back to home