Introduction
We believe in working closely with security researchers, ethical hackers, and enthusiasts to ensure that our products and services are secure and that our customers are safe. To achieve this, we offer rewards to individuals who find and ethically and responsibly disclose vulnerabilities to us through our Vulnerability Disclosure Program (VDP).
Scope
The Vulnerability Disclosure Program covers any vulnerability that results in risks to user data or the correct functioning of our services across all of our domains, properties, and infrastructure.
1. Toplyne's web application and APIs
2. Subdomains associated with Toplyne
3. Infrastructure related to the delivery of our services
Out of Scope
1. Third-party applications or websites
2. Social engineering attacks
3. Physical security attacks
4. Denial of service (DoS) attacks
Eligibility
Once a vulnerability is reported, our team will determine whether it qualifies for the VDP and its severity. To be eligible for a reward, you must:
1. Be the first to report the vulnerability
2. Provide a detailed description of the vulnerability, including reproduction steps, proof of concept, screenshots, and any
additional information that may be helpful in resolving the issue
3. Not disclose the vulnerability publicly or to any third party until Toplyne has resolved the issue
4. Not engage in any malicious activities or cause damage to Toplyne's infrastructure or user data.
5. Not use or attempt to use any account or user information other than your own.
6. Not destroy or compromise any confidential, proprietary, or information that you may gain access to.
7. Not damage our systems or any associate third party.
8. Not violate any applicable local laws, including privacy and data protection laws.
Rewards
Rewards for qualifying vulnerabilities are based on the severity of the vulnerability, as determined by Toplyne using the Common Vulnerability Scoring System (CVSS) and other relevant factors. The reward ranges are as follows:
Critical: $300 - $500
High: $150 - $300
Medium: $50 - $150
Low: $0 - $50
Toplyne reserves the right to determine the final reward amount at its sole discretion.
Responsible Disclosure
We encourage participants to practice responsible disclosure by:
1. Providing us with a reasonable amount of time to resolve the vulnerability before disclosing it publicly or to any third party
2. Not exploiting the vulnerability for personal gain or causing harm to Toplyne's infrastructure or users
3. Complying with all applicable laws and regulations
Reporting a Vulnerability
To report a vulnerability, please send an email to security@toplyne.io with the following information:
1. Your name and contact information
2. A detailed description of the vulnerability
3. Proof of concept and reproduction steps
4. Any additional information that may be helpful in resolving the issue
Our team will acknowledge receipt of your report and provide updates on the status of the issue as necessary.
Legal
We support responsible security research, and will not take legal action against an individual who reports vulnerabilities to us in good faith and responsibly and follows these practices to the best of their abilities. Additionally, please note that :
1. This is not a competition. The VDP and any associated rewards are offered solely at the discretion of Toplyne, and can be withdrawn or modified at any time.
2. By participating in Toplyne’s Vulnerability Disclosure Program, you agree to maintain confidentiality regarding the disclosed vulnerability and associated details, and agree to delete any confidential, proprietary, or personal information which may have come into your possession as a result of the investigation.
3. By participating in Toplyne's Vulnerability Disclosure Program, you agree to the terms and conditions set forth in this document.
4. Toplyne reserves the right to modify the program or its terms at any time without prior notice.
