Introduction: At Tosi, we prioritize the security and privacy of our customers and the integrity of our systems. We are committed to maintaining a safe and secure environment for our products and services. This Vulnerability Disclosure Policy outlines our approach to receiving and handling security vulnerabilities reported to us.

Scope: This policy applies to all products and services provided by Tosi. It covers any vulnerabilities discovered in our hardware and software products, web applications, portals, mobile applications, APIs, and other related systems.

Reporting a vulnerability: If you believe you have discovered a security vulnerability in any of our products or services, we encourage you to report it to us responsibly. Please follow these guidelines when reporting a vulnerability:

• Send your findings to security@tosi.com with the subject line “Security Vulnerability Report”.
• Use PGP encryption when sending sensitive or confidential information. Our public key for PGP encryption.
• Provide a detailed description of the vulnerability, including but not limited to:

1. The type of vulnerability
2. The product, service, or system affected, and their version if available
3. Steps to reproduce the issue
4. Potential impact of the vulnerability
5. Any supporting evidence (e.g., screenshots, proof-of-concept code)

• Submit your report in English, if possible.

Note that if you don't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone. The more details you provide, the easier it will be for us to triage and fix the issue.

Our commitment

Upon receiving a vulnerability report, we commit to:

1. Acknowledging the receipt of your report within 3 business days.
2. Providing an estimated timeline for the resolution of the vulnerability.
3. Keeping you informed of the progress towards resolving the issue.
4. Notifying you when the vulnerability has been addressed.

Responsible disclosure

We ask that you:

• Act in good faith: Do not exploit the vulnerability beyond what is necessary to confirm its existence.
• Non-disclosure: Avoid disclosing the vulnerability to any third parties until we have had a reasonable amount of time to address it.
• Data protection: Avoid accessing, modifying, or deleting any user data without explicit permission.

Safe harbor

To encourage responsible reporting, we pledge that:

• We will not take legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy.
• We will work with you to understand and resolve the issue quickly, and we will credit researchers who help us improve our security (with your consent).

Rewards and recognition

Tosi doesn’t have a vulnerability reward program (yet), and we can’t offer any compensation for your time and efforts in identifying and reporting this issue. However, we are happy to recognize your work publicly and add your name (and contact details, if you wish) to our Hall of Fame.

We will provide public recognition if:

1. you are the first person to file the report for a particular vulnerability,
2. the vulnerability is confirmed to be a valid security issue,
3. you have complied with the policy guidelines.

Policy changes

Tosi security team may revise this policy from time to time to reflect changes in our practices or legal requirements. We reserve the right to update this policy without prior notice. Any changes will be posted on our public website. We encourage you to review this policy regularly to stay informed about our security practices.

Tosibox would like to thank and recognize the following individuals, teams, and organizations who responsibly disclosed security issues to us and helped make Tosibox products and services safer. We salute you and appreciate your hard work, dedication, and commitment to keep our society safe and secure.

Tosi/Tosibox Hall of Fame 👑

2024

Shaurya & Sahil
Milap Shah
Gjoko Krstic from Zero Science Lab
Taseer Hussain

2017

Frank Denis
Alice Quinn

2016

John Buchner
Anna Richmond

Are you interested in reporting and making it to our Hall of Fame?
Then, send your findings to security@tosibox.com