‍

While no technology is flawless, we believe that collaboration with skilled security researchers around the world is essential to uncovering potential vulnerabilities.

If you’ve discovered a security issue in our product or service, we encourage you to report it. We’re committed to working with you to investigate and resolve the issue as quickly as possible.

‍

🐞 What is a Bug Bounty Program?

‍

At Togal, we take the security of our platform seriously. Our Bug Bounty Program is a way to work collaboratively with the global security research community to identify and fix vulnerabilities before they can be exploited.

We welcome reports of any behavior that may impact the security or integrity of our products, services, or customer data.

‍

🙋‍♂️ Who Can Participate?

‍

Anyone on the internet can participate

‍

📣 Disclosure Policy

‍

By disclosing a vulnerability, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties. Do not attempt to access or modify user data that is not your own. Avoid any testing that could degrade the availability or performance of our systems.

‍

🎯 Scope

‍

• All internet-facing services hosted on *.togal.io
• APIs owned and maintained by Togal

‍

‍

Eligible vulnerabilities

‍

Authentication & Authorization

‍

• Broken access control (e.g., IDOR)
• Privilege escalation
• Insecure authentication or session management

‍

Injection attacks

‍

• SQL Injection (SQLi)
• XML External Entity (XXE) injection
• Command Injection
• Server-Side Request Forgery (SSRF)

‍

Code Execution

‍

• Remote Code Execution (RCE)
• File inclusion vulnerabilities (LFI/RFI)
• Directory traversal

‍

Client-Side Issues

‍

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Clickjacking (when shown to impact user security)

‍

Sensitive Data Exposure

‍

• Unauthorized access to PII or account data
• Sensitive information leakage at scale
• Exposure of administrative panels lacking strong authentication

‍

Misconfigurations

‍

• Subdomain takeover
• Exposed internal services or endpoints
• Known unpatched third-party vulnerabilities in production systems

‍

🚫 Out of scope

‍

Informational or Low-Risk Issues

‍

Disclosure of:

• Server IP addresses or hostnames
• Internal paths, error messages, stack traces
• Software version numbers
• Missing cookie flags (e.g., HttpOnly, Secure)
• Missing or misconfigured security-related HTTP headers (unless exploitable)
• SSL/TLS or DNS best practices (e.g., lack of HSTS, SPF/DMARC on non-email domains)
• Mixed content or UI issues that do not pose a security risk
• Clickjacking with no demonstrated security impact

‍

Testing Limitations

‍

• Results from automated scanners or tools without manual validation
• "Self-XSS" (user can only XSS themselves)
• CSRF/XSS requiring highly improbable or long/unpredictable parameters
• Issues that require:
  • MITM (Man-In-The-Middle) attack
  • Physical device access
  • Social engineering or phishing
  • Distributed Denial of Service (DDoS)

‍

Legal & Policy Boundaries

‍

• Collection or use of actual user PII or payment info (e.g., scraping credit cards)
• Security issues in third-party services or vendors outside Togal’s control
• Licensing violations or software misuse claims

‍

Low Business Impact

‍

• Login/logout CSRF without meaningful impact
• Feedback/comment/message flooding
• Usability or provisioning issues not related to security
• Reports based on out-of-date or already patched vulnerabilities (within 30–90 days of public patch)

‍

🛡️ Safe Harbor

‍

Please send your report to security@togal.ai and include:

• A clear description of the vulnerability
• Steps to reproduce the issue (preferably written)
• Screenshots, videos, or PoC code to demonstrate impact

Well-documented reports help us respond and resolve faster.

For examples of high-quality submissions, refer to:

• HackerOne: Writing Quality Reports
• Hacker101: Writing Good Reports

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. We will respond within 3 to 5 working days. Thank you for helping keep our company and our users safe!

‍

🎁 Rewards & Recognition

‍

We deeply appreciate the time and effort security researchers invest in helping us improve our security posture.

At this time, we do not offer monetary rewards or a formal bug bounty program. However, valid reports that lead to meaningful improvements in our systems may receive:

• A public acknowledgment (with your consent) on our website or security hall of fame
• A personal thank you from our team
• Early access to future security-related updates or testing programs (at our discretion)

Your contribution plays a vital role in protecting our users and services, and we sincerely thank you for helping us maintain a secure environment.

‍

‍