Vulnerability Disclosure Policy

Introduction
At Tosibox, we prioritize the security and privacy of our customers and the integrity of our systems. We are committed to maintaining a safe and secure environment for our products and services. This Vulnerability Disclosure Policy outlines our approach to receiving and handling security vulnerabilities reported to us.

Scope
This policy applies to all products and services provided by Tosibox. It covers any vulnerabilities discovered in our hardware and software products, web applications, portals, mobile applications, APIs, and other related systems.

Reporting a vulnerability

If you believe you have discovered a security vulnerability in any of our products or services, we encourage you to report it to us responsibly. Please follow these guidelines when reporting a vulnerability:

  • Send your findings to security@tosibox.com with the subject line “Security Vulnerability Report”.
  • Use PGP encryption when sending sensitive or confidential information. Our public key is available at: https://www.tosibox.com/.well-known/security.pgp.txt.

  • Provide a detailed description of the vulnerability, including but not limited to:

    - The type of vulnerability

    - The product, service, or system affected, and their version if available

    - Steps to reproduce the issue

    - Potential impact of the vulnerability

    - Any supporting evidence (e.g., screenshots, proof-of-concept code)

  • Submit your report in English, if possible.

Note that if you don't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone. The more details you provide, the easier it will be for us to triage and fix the issue.

Our commitment

Upon receiving a vulnerability report, we commit to:

1. Acknowledging the receipt of your report within 3 business days.

2. Providing an estimated timeline for the resolution of the vulnerability.

3. Keeping you informed of the progress towards resolving the issue.

4. Notifying you when the vulnerability has been addressed.

Responsible disclosure

We ask that you:

  • Act in good faith: Do not exploit the vulnerability beyond what is necessary to confirm its existence.

  • Non-disclosure: Avoid disclosing the vulnerability to any third parties until we have had a reasonable amount of time to address it.

  • Data protection: Avoid accessing, modifying, or deleting any user data without explicit permission.

Safe harbor

To encourage responsible reporting, we pledge that:

  • We will not take legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy.

  • We will work with you to understand and resolve the issue quickly, and we will credit researchers who help us improve our security (with your consent).

Rewards and recognition

Tosibox doesn’t have a vulnerability reward program (yet), and we can’t offer any compensation for your time and efforts in identifying and reporting this issue. However, we are happy to recognize your work publicly and add your name (and contact details, if you wish) to our Hall of Fame page.

We will provide public recognition if:

1. you are the first person to file the report for a particular vulnerability,

2. the vulnerability is confirmed to be a valid security issue,

3. you have complied with the policy guidelines.

Policy changes

Tosibox security team may revise this policy from time to time to reflect changes in our practices or legal requirements. We reserve the right to update this policy without prior notice. Any changes will be posted on our public website. We encourage you to review this policy regularly to stay informed about our security practices.