This Document applies to all Tuta Mail Clients, the backend services and our web site at https://tuta.com.
Please use github's disclosure feature on our main repo: https://github.com/tutao/tutanota/security
The process is documented here: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability
If you do not have or want a github account, you can follow our guide to reporting security issues on our Support page on the topic: https://tuta.com/support/#report-vulnerability
We generally start investigating security issues as soon as we become aware of them and start patching them after confirming them. We will issue a public disclosure on our blog within 7 Days of disabling vulnerable clients.