Security & Responsible Disclosure

Last updated: Jul 2026

Tabula Bio, Inc. ("Tabula", "we", "our", "us") takes the security of our systems and the data entrusted to us seriously. We value the work of the security research community and welcome reports of potential vulnerabilities in our services. This policy explains how to report a vulnerability to us, what you can expect in return, and the conditions under which we will not pursue legal action against good-faith researchers.

Reporting a Vulnerability

If you believe you have found a security vulnerability in any of our systems, please email us at security@tabulabio.com.

To help us investigate and resolve the issue quickly, please include:

  • A clear description of the vulnerability and its potential impact
  • The steps required to reproduce it, including any proof-of-concept code, URLs, or requests
  • The affected asset (for example, the domain, page, or endpoint)
  • Any relevant screenshots or logs

Please report issues as soon as possible after you discover them, and do not disclose them publicly until we have had a reasonable opportunity to investigate and remediate.

Scope

This policy applies to the following assets:

  • tabulabio.com and its subdomains
  • The public services and applications we operate on these domains

The following are out of scope. Please do not test against them:

  • Third-party services, platforms, and vendors we use but do not operate
  • Physical security of our offices, facilities, or hardware
  • Social engineering, phishing, or other attacks against our employees, contractors, or partners
  • Denial-of-service (DoS/DDoS) attacks or any testing that degrades or interrupts our services
  • Automated, high-volume scanning that generates excessive traffic

Our Commitment

When you report a vulnerability in good faith under this policy, we will:

  • Acknowledge receipt of your report within five business days
  • Provide an estimated timeline for remediation where possible, and keep you informed of our progress
  • Notify you when the reported vulnerability has been resolved
  • Recognize your contribution if you are the first to report a valid issue and you would like to be credited

Safe Harbor

We consider security research and vulnerability disclosure activities conducted in accordance with this policy to be authorized, beneficial, and in good faith. If you make a good-faith effort to comply with this policy during your research, we will:

  • Not pursue or support any legal action against you related to your research
  • Work with you to understand and resolve the issue quickly
  • Regard your activity as authorized under the Computer Fraud and Abuse Act (CFAA) and any relevant anti-hacking laws, and waive any claim against you for circumventing the technological measures we use to protect the in-scope assets

If legal action is initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Guidelines

To qualify for safe harbor, you must:

  • Make a good-faith effort to avoid privacy violations, degradation of our services, and disruption to or destruction of data
  • Only interact with accounts you own or for which you have explicit permission from the account holder
  • Not access, modify, or delete data that does not belong to you, and access only the minimum amount of data necessary to demonstrate a vulnerability
  • Stop testing and notify us immediately if you encounter any personal, confidential, or sensitive data, including personally identifiable information, credentials, or proprietary research data
  • Not use, disclose, or retain any data accessed during your research
  • Give us a reasonable amount of time to remediate an issue before disclosing it publicly, and coordinate any public disclosure with us

Recognition

This is a responsible disclosure program, not a paid bug bounty. We do not currently offer monetary rewards for reported vulnerabilities. We are, however, grateful for your help and are happy to acknowledge researchers who responsibly disclose valid issues.

Questions

If you have any questions about this policy or are unsure whether a specific test is authorized, contact us at security@tabulabio.com before proceeding.