Security Disclosure Policy

Legal Disclaimer: Toutmark is not your lawyer. This document is drafted pragmatically but has not been reviewed by counsel. Before onboarding enterprise customers or processing large volumes of EU/UK data, Toutmark will commission a legal review. Customers should consult their own counsel about whether these terms work for their use case.

Toutmark welcomes responsible security disclosures from researchers and security professionals. This policy explains how to report vulnerabilities and what to expect in response.

1. Responsible Disclosure Invitation

Toutmark invites security researchers and ethical hackers to report vulnerabilities in the Toutmark platform. We believe in transparency and will work cooperatively with researchers to fix issues.

Our Commitment

If you follow this policy, Toutmark commits to:

Not pursuing legal action against you for good-faith security research
Responding to your report promptly
Fixing confirmed vulnerabilities and crediting you (with your permission)
Keeping your identity and report details confidential until the issue is fixed

2. In-Scope

Please report vulnerabilities in the following:

toutmark.com — Main website, landing pages, blog
*.toutmark.com — Subdomains (dashboard, API, etc.)
Toutmark Dashboard — Customer account area, settings, integrations
Public APIs — Documented and undocumented endpoints
CMS Publishing Integrations — WordPress plugin, Webflow/Shopify/Ghost/Sanity/Contentful publishing flows
OAuth Callbacks — /api/connect/*/callback endpoints

3. Out-of-Scope

Do NOT test or report issues in the following:

Third-party platforms: Cloudflare, Vercel, Stripe, Mailrelay, etc. — report those issues directly to the platforms
Social engineering or phishing: Do not try to trick Toutmark staff into revealing information
Physical attacks: Do not attempt to access Toutmark offices or infrastructure physically
DDoS testing: Do not conduct denial-of-service attacks
Brute force attacks: Do not attempt to crack passwords or API keys through repeated guessing
Customer data access: Do not attempt to access other customers' data

4. How to Report a Vulnerability

Email: [email protected]

Subject Line: "[SECURITY] Vulnerability Report — [Brief Title]"

What to Include

Vulnerability Type: SQL injection, XSS, CSRF, authentication bypass, etc.
Affected Endpoint or Feature: URL, API endpoint, or feature name
Reproduction Steps: Detailed, step-by-step instructions to reproduce the issue
Expected vs. Actual Behavior: What should happen vs. what actually happens
Impact Assessment: What could an attacker do with this vulnerability?
Screenshots or PoC: If applicable, attach evidence (screenshots, video, or proof-of-concept code)
Your Contact Information: Name, email, PGP key (if you want encrypted communication)

Do NOT Include

Payloads that cause actual damage
Exploitation that accesses customer data (just prove the vulnerability exists)
Attempts to modify, delete, or corrupt data

5. Response Timeline

Acknowledgment (2 business days): We confirm receipt of your report
Triage (5 business days): We assess the severity and impact of the vulnerability
Fix Timeline (communicated per severity):
- Critical (0-day, data breach risk): Fix within 24–72 hours
- High (authentication bypass, unauthorized access): Fix within 1 week
- Medium (XSS, CSRF, information disclosure): Fix within 2 weeks
- Low (minor issues, best practices): Fix within 30 days
Disclosure (after fix is deployed): With your permission, we may credit you publicly

6. Safe Harbor & Legal Protection

Good-Faith Researchers: If you follow this policy and act in good faith, Toutmark will not pursue legal action against you for:

Accessing systems or data for the purpose of discovering vulnerabilities
Testing vulnerability impact on Toutmark systems only
Reporting discovered vulnerabilities

Conditions: This safe harbor applies only if you:

Act in good faith and do not access data you don't have permission to access
Do not intentionally damage systems or data
Do not disclose the vulnerability publicly before giving Toutmark 90 days to fix it
Do not use the vulnerability for financial gain
Comply with all applicable laws

7. Bug Bounty Program

Live Phase: Toutmark does not currently offer a paid bug bounty program. However, we do offer:

Public recognition (with your permission) on this page and in our security announcements
A personalized thank-you from the Toutmark team
Priority support for your own Toutmark account (if applicable)
Consideration for future discounts or credits (case-by-case)

Future Phases: As Toutmark grows, we may implement a formal paid bug bounty program. Security researchers who have helped us will be notified of any bounty offering.

8. Disclosure Policy

Coordinated Disclosure

We follow a coordinated disclosure timeline:

Day 0: Researcher reports the vulnerability
Day 1–90: Toutmark works to fix the issue; researcher keeps it confidential
Day 90+: If Toutmark has not fixed the issue, the researcher may disclose publicly (optional)

Public Acknowledgment

Once a fix is deployed, Toutmark will publish a security advisory that includes:

Vulnerability description
Affected versions/features
Researcher name (with permission)
Severity rating (Critical, High, Medium, Low)
Fix description and deployment date

9. Security Contact

Security Email: [email protected]

Mailing Address:
Toutmark
2712 N Ardmore Avenue
Manhattan Beach, CA 90266
USA

PGP Key:

10. Security Best Practices

While you're researching, please follow these best practices:

Test only on Toutmark infrastructure: Do not use the vulnerability against other companies or individuals
Minimize access: Access only the minimum necessary to prove the vulnerability exists
Document everything: Keep detailed notes of what you tested and when
Keep it confidential: Do not discuss the vulnerability with others until Toutmark fixes it
Respect customer privacy: Do not access customer data or accounts without permission

Version History:

v1.0 — April 23, 2026: Initial Security Disclosure Policy (Live Phase, US-only)