How to report a security vulnerability to Typeform

At Typeform our top priority is the safety and security of your data. To encourage responsible reporting of potential security vulnerabilities, we are committed to working with our community to verify, reproduce, and respond to legitimate reports.

Responsible Disclosure Guidelines

Our security team investigates all reported security issues as quickly as possible. If you think you’ve found a bug in Typeform’s security, or have a security incident to report, please get in touch using this typeform, or email us at If you want to encrypt your communications with us, please use our PGP public key – KeyID: AB2AE591.

We’ll give you a response to your report once it has been verified and prioritized by our product teams. Please don’t publicly disclose the issue until it has been addressed by Typeform, and give us a reasonable amount of time to look at the vulnerability.

When reporting a vulnerability, please provide as much detail as you can, to help us with validation and reproduction of it. Vulnerabilities must be disclosed to us privately, and should be made in good faith. We will not prosecute people for reporting vulnerabilities, as long as no malicious attempt to compromise other user accounts has been made.

We understand the hard work that goes into security research. We’ll show our appreciation in the best way we can, based on the effort needed, criticality of the issue, and the responsible disclosure of the potential vulnerability.