Security and Vulnerability Disclosure

Report security issues through the accountable Twendex security contact path.

Last updated: May 2, 2026

Security policy applicability

Country coverage: Country coverage follows the public market status and country-pack registry.

Entities: Default contracting entity is TWENDEX TRANSPORT NETWORK CO. - SMC LTD, Wakiso, Uganda, unless an approved country-pack annex names a local Twendex or partner entity for that market.

Product lines: Security reports for the website, API, admin, PWA, authentication, payments, uploads, notifications, and PII handling.

Channels: Security reports are accepted for all Twendex-owned production and pilot surfaces, regardless of market launch status.

Framework: Uganda law and courts are the default governing framework unless a signed country-pack annex or mandatory local consumer, transport, privacy, or payment law applies for the market.

Support and regulator path: Start with Twendex support at support@twendex.com or WhatsApp +256 770 616 744 (text only). Regulator or authority paths follow the applicable market annex and mandatory local law.

Effective date: May 2, 2026

View public market launch status

Responsible disclosure contact

Send suspected security vulnerabilities to the security team. For account support or non-security product issues, use the support contact instead.

support@twendex.com support@twendex.com

What to report

Please report suspected vulnerabilities in Twendex websites, APIs, mobile/PWA flows, authentication, payments, uploads, notifications, or PII handling. Include enough detail for our team to reproduce the issue safely.

What to include

Send the affected URL or endpoint, steps to reproduce, impact, screenshots or logs where safe, and your preferred contact details. Do not include customer secrets, private records, or unnecessary personal data.

Safe research rules

Use only your own accounts and test data. Do not access, change, delete, exfiltrate, or interrupt data, money movement, production infrastructure, or accounts that do not belong to you.

Out of scope

Denial-of-service testing, social engineering, physical attacks, spam, automated destructive scanning, and findings that rely only on outdated browser versions are not authorized under this policy.

Response expectations

We aim to acknowledge security reports within two business days and provide status updates as we validate, prioritize, and fix the issue. Critical safety, payment, or PII findings are triaged first.

Coordinated disclosure

Please give Twendex reasonable time to investigate and remediate before public disclosure. We will work with good-faith reporters and credit them when appropriate and mutually agreed.

Machine-readable security contact

Security tooling can also discover this policy through the standard well-known endpoint.

/.well-known/security.txt

Preferred languages: English, French, and Swahili. Current page: /en/security.

Security and Vulnerability Disclosure

Report security issues through the accountable Twendex security contact path.

Last updated: May 2, 2026

Security policy applicability

Country coverage: Country coverage follows the public market status and country-pack registry.

Entities: Default contracting entity is TWENDEX TRANSPORT NETWORK CO. - SMC LTD, Wakiso, Uganda, unless an approved country-pack annex names a local Twendex or partner entity for that market.

Product lines: Security reports for the website, API, admin, PWA, authentication, payments, uploads, notifications, and PII handling.

Channels: Security reports are accepted for all Twendex-owned production and pilot surfaces, regardless of market launch status.

Framework: Uganda law and courts are the default governing framework unless a signed country-pack annex or mandatory local consumer, transport, privacy, or payment law applies for the market.

Effective date: May 2, 2026

View public market launch status

Responsible disclosure contact

Send suspected security vulnerabilities to the security team. For account support or non-security product issues, use the support contact instead.

support@twendex.com support@twendex.com

What to report

What to include

Safe research rules

Use only your own accounts and test data. Do not access, change, delete, exfiltrate, or interrupt data, money movement, production infrastructure, or accounts that do not belong to you.

Out of scope

Denial-of-service testing, social engineering, physical attacks, spam, automated destructive scanning, and findings that rely only on outdated browser versions are not authorized under this policy.

Response expectations

We aim to acknowledge security reports within two business days and provide status updates as we validate, prioritize, and fix the issue. Critical safety, payment, or PII findings are triaged first.

Coordinated disclosure

Please give Twendex reasonable time to investigate and remediate before public disclosure. We will work with good-faith reporters and credit them when appropriate and mutually agreed.

Machine-readable security contact

Security tooling can also discover this policy through the standard well-known endpoint.

/.well-known/security.txt

Preferred languages: English, French, and Swahili. Current page: /en/security.

Security and Vulnerability Disclosure

Responsible disclosure contact

What to report

What to include

Safe research rules

Out of scope

Response expectations

Coordinated disclosure

Machine-readable security contact

Quick Links

Services

Company

Security and Vulnerability Disclosure

Responsible disclosure contact

What to report

What to include

Safe research rules

Out of scope

Response expectations

Coordinated disclosure

Machine-readable security contact

Quick Links

Services

Company