Features

Solutions

Pricing

Resources

Customer Stories

Free HR Tools

Help Center

Support

Log In

Book a Demo

Vulnerability Disclosure

Last updated 18 May 2026

Reporting a Vulnerability

FeedbackPulse welcomes good-faith reports of security vulnerabilities that could affect the FeedbackPulse app, customer data, or the workflows teams use to collect and analyze employee feedback.

If you believe you have found a security issue, contact us at [email protected]. We aim to acknowledge valid reports within 3 business days and will follow up based on the severity, complexity, and reproducibility of the issue.

In Scope

This policy covers vulnerabilities in FeedbackPulse-owned web properties, the FeedbackPulse application, APIs, and customer-facing product workflows controlled by FeedbackPulse.

Examples may include issues affecting survey and review workflows, employee or organization data, authentication and access control, analytics and exports, billing or admin areas, API behavior, or official connected workflows such as Slack, Microsoft Teams, Zapier, n8n, or similar integrations when the issue is caused by FeedbackPulse-controlled behavior.

Vulnerabilities in third-party platforms themselves, a customer's configuration of those platforms, or systems not controlled by FeedbackPulse should be reported to the relevant provider.

Out of Scope

The following activities are not authorized under this policy:

  • social engineering, phishing, or attempts to access employees, customers, or support channels;
  • physical attacks or attempts to access offices, devices, infrastructure facilities, or data centers;
  • denial-of-service, spam, high-volume automated scanning, or testing that degrades service availability;
  • accessing, modifying, deleting, copying, or exfiltrating data that is not your own;
  • testing third-party systems, services, integrations, or infrastructure not controlled by FeedbackPulse.

Rules of Engagement

Please make every effort to avoid privacy violations, data destruction, service disruption, and unnecessary access to personal data. Use non-destructive testing methods and stop testing as soon as you have enough evidence to demonstrate the issue.

Do not publicly disclose vulnerability details until FeedbackPulse has investigated and remediated the issue, or until we have agreed on a coordinated disclosure approach.

What to Include

Helpful reports include:

  • the affected URL, endpoint, integration, or feature;
  • Steps to reproduce the issue;
  • the expected and actual behavior;
  • the security impact and any relevant assumptions;
  • screenshots, logs, or proof-of-concept details that do not expose customer data;
  • your contact information for follow-up questions.

No Paid Bug Bounty

FeedbackPulse does not currently operate a paid bug bounty program and does not guarantee payment, rewards, gifts, or public recognition for reports. We still appreciate responsible reports that help us protect customers and improve the service.

Related Security and Privacy Information

For more information about how FeedbackPulse protects data and handles service trust, see our Security, Privacy Policy, Sub-Processors, and Data Processing Agreement pages.