Tokra — Responsible Disclosure

Responsible Disclosure Policy

Publish at /legal/responsible-disclosure. How to report vulnerabilities to Tokra and how we respond.

Effective: 28 Aug 2025 Last Updated: 28 Aug 2025 Path: /legal/responsible-disclosure Security: security@tokra.ai (copy)

1) Purpose & Scope

We value the security community’s help in keeping Tokra and our users safe. This policy explains how to report vulnerabilities and how we handle reports.

2) Report Channel

Email: security@tokra.ai

Subject: “Vulnerability Report – <brief title>”

Please include a clear description, step-by-step reproduction, impact, affected URLs/API endpoints, relevant screenshots/PoC (avoid unnecessary personal data), and your contact details.

Report Template (click to expand)
Email Security

3) Testing Rules (Do / Don’t)

Do

  • Test only your own accounts and data; minimize impact.
  • Respect rate limits; use non-destructive techniques.
  • Stop immediately and report if you encounter sensitive data unintentionally.

Don’t

  • No denial-of-service (DoS) or service degradation.
  • No social engineering, phishing, or physical intrusion.
  • Don’t exploit beyond what’s required to demonstrate impact.
  • Don’t access, save, or exfiltrate anyone else’s data.

4) Our Response Process

  • Acknowledge receipt within 3 business days (with a tracking ID).
  • Triage and initial severity within 7 business days.
  • Fix prioritized by risk; we’ll share status updates and closure notes.
  • We may share redacted details of your report with affected users or third parties as required by law.

5) Safe Harbor

If you act in good faith and comply with this policy, Tokra will not pursue legal action related to your research. This does not waive our rights regarding malicious or harmful activity.

6) Out-of-Scope Examples

CategoryExamples
Traffic / VolumetricVolumetric DDoS, spam, and open-redirects without demonstrable impact
3rd PartiesIssues in third-party services outside Tokra’s control
FramingClickjacking on pages without sensitive actions
HeadersMissing security headers with no exploitable risk

7) Legal & Privacy Notes

  • Tokra does not operate a public bug-bounty or Hall of Fame at this time.
  • We may acknowledge researchers privately or in release notes with your explicit permission; default is no public attribution.
  • Embargo: By submitting a report, you agree not to publicly disclose details until we confirm a fix or provide written authorization.

8) Language & Contacts

This page may be translated for convenience. In case of discrepancy, the English version controls after publication.

Security/DPO contact: security@tokra.aiprivacy@tokra.ai

Report Vulnerability