Security & Vulnerability Disclosure

Manifest — Effective date: July 15, 2026

Manifest is operated by TribalHouse. We take the security of your design data seriously and welcome reports from security researchers. This page describes how to report a vulnerability, what to expect from us, and the infrastructure our service runs on.


Reporting a vulnerability

Email support@tribalhousestudios.com with a description of the issue. A helpful report includes:

You can find our machine-readable contact at /.well-known/security.txt (RFC 9116).


What to expect


Safe harbor

We will not pursue or support legal action against researchers who act in good faith and follow this policy. Good-faith research means you:


Scope

In scope:

Out of scope:


Infrastructure and subprocessors

Manifest is an independent product and is not itself certified against SOC 2, ISO 27001, PCI DSS, HITRUST, or SSAE 18. Our stack runs on accredited providers:


How we protect your data

Our Privacy Policy describes what we collect, where it is stored, and your rights.


Contact

TribalHouse
support@tribalhousestudios.com