Responsible disclosure policy
No technology is perfect. That’s why we believe it’s crucial to identify Toon’s weaknesses. If you think you've found a security issue in our product or service, we encourage you to notify us. We welcome the opportunity to work with you to resolve the issue promptly.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- If you discover a weakness and investigate it, you might perform actions that are punishable by law. If you observe the rules for reporting weaknesses in our IT systems, we will not report your offense to the authorities and will not submit a claim. Note, however, that any actions taken by the public prosecutor’s office are out of our control.
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
- Attacks requiring physical access to a user's device and others such as office access (e.g. open doors, tailgating)
- Password and account recovery policies, such as reset link expiration or password complexity
- Invalid or missing SPF (Sender Policy Framework) records
- Bypass of URL malware detection
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- Social engineering of Toon staff or contractors
- Any physical attempts against Toon property or data centers
- UI and UX bugs and spelling mistakes
- Network level Denial of Service (DoS/DDoS) vulnerabilities
How to report a vulnerability
We use a third party to help us validate and manage suspected vulnerabilities.
You can report your discovery here.
Please include the following details with your report:
- Description of the location and potential impact of the vulnerability
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
- Your name/handle and a link for recognition in our Hall of Fame
Thank you for helping keep us and our users safe.