Vulnerability Disclosure Policy
Version 1.0 · Effective 2026-04-23
Introduction
Table Menu Inc. operates a multi-tenant restaurant ordering platform at tablemenu.app and on tenant subdomains (*.tablemenu.app). We are committed to protecting the security of our platform, our restaurant operators, and their guests. This policy establishes the rules for security researchers who wish to report vulnerabilities to us.
We follow a Vulnerability Disclosure Policy (VDP) model, not a paid bug bounty. We cannot offer monetary rewards at this time. Researchers who make qualifying disclosures in good faith may receive written acknowledgement and Table Menu merchandise.
Scope
In scope:
- tablemenu.app - marketing and onboarding
- *.tablemenu.app - tenant ordering apps
- Table Menu mobile-web ordering flow
- Table Menu admin portal
- All /api/* routes on the above domains
- Apple Wallet and Google Wallet pass endpoints
- Authentication flows (SMS verify, staff login, JWT handling)
Out of scope:
- Stripe, Clover, Twilio, Apple, Google, Supabase, Sentry (each runs its own programme)
- Third-party libraries (report upstream)
- Social engineering, phishing, physical attacks
- Denial-of-service attacks
- Automated scanning at scale
- Testing against customer data you do not own
Prohibited actions
The following actions are strictly prohibited regardless of intent:
- Accessing, modifying, or deleting data that does not belong to a test account you control.
- Running automated vulnerability scanners at a rate that degrades service performance.
- Exploiting a vulnerability beyond the minimum action required to demonstrate it.
- Social engineering, phishing, or physical attacks against Table Menu staff.
- Causing denial of service against any Table Menu infrastructure.
- Publishing vulnerability details publicly before Table Menu has had a reasonable opportunity to remediate.
Good faith safe harbor
Table Menu will not pursue civil or criminal legal action against security researchers who: (1) comply with all terms of this policy; (2) limit research to in-scope assets only; (3) do not violate the prohibited actions above; (4) make a good-faith effort to avoid privacy violations, service disruption, and harm to others; and (5) report the vulnerability to security@tablemenu.app before disclosing to any third party.
This safe harbor is offered in the spirit of the disclose.io Safe Harbor Framework. Table Menu acknowledges that well-intentioned security research is a public good.
Reporting
Email security@tablemenu.app. For reports that include credentials, session tokens, or personal data of real users, encrypt with our PGP key at tablemenu.app/.well-known/pgp-key.txt.
Do not report security vulnerabilities through GitHub issues, social media, the contact form, or any other public channel.
Response SLAs
| Acknowledgement of receipt | 3 business days |
| Initial triage and severity | 7 business days |
| Status update cadence | Every 14 days until resolved |
| Critical / High resolution | 30 days target |
| Medium resolution | 90 days target |
| Low / Informational | 180 days target |
Rewards
Table Menu operates a VDP (not a paid bug bounty) at this stage. Researchers who make qualifying disclosures may receive:
- Written acknowledgement naming the researcher (or alias).
- Table Menu merchandise (stickers, t-shirt) at our discretion for High and Critical findings.
We do not offer cash rewards at this time.
Coordinated disclosure
We follow a coordinated disclosure model. Once a fix is deployed, we notify you and offer to review any draft public write-up before you publish. We ask for at least 30 days post-fix before public disclosure.
Contact
Security: security@tablemenu.app
Privacy: privacy@tablemenu.app
Legal: legal@tablemenu.app