Security & Vulnerability Disclosure

Last updated: April 21, 2026

If you discover a security issue in TosiName, please report it privately to security@tosiname.com. We appreciate responsible disclosure and will work with you to resolve valid findings quickly.

How to Report

Please include as much detail as possible:

• A clear description of the issue and potential impact
• Steps to reproduce
• Any proof-of-concept, logs, or screenshots
• Your contact information for follow-up

What You Can Test

• Public web app and authenticated user flows you can access legally
• Account boundaries, access control, and data exposure risks
• Business logic flaws and abuse paths

Out of Scope

• Denial-of-service (DoS) or traffic flooding
• Social engineering, phishing, or physical attacks
• Issues in third-party services outside our control (unless they create a direct risk in TosiName)
• Automated scanning that materially degrades service availability

Safe Harbor Expectations

When testing and reporting, please:

• Act in good faith and avoid privacy violations or service disruption
• Only access data needed to demonstrate the issue
• Do not modify or delete data that is not your own
• Do not publicly disclose details until we have had time to remediate

Response Timeline

• Acknowledgement target: within 3 business days
• Triage target: within 7 business days
• Fix timing: based on severity and complexity

Impersonation / Takedown Reports

To report impersonation, identity misuse, or takedown requests, contact abuse@tosiname.com or use the impersonation reporting form.

This policy is for coordinated security disclosure. For privacy requests, contact privacy@tosiname.com.