At TO THE NEW, protection of our clients and guests data is a top priority. We are committed to the privacy and security of our user’s data.

But yes, vulnerabilities are inevitable. Thus, we invite security professionals to test for any vulnerabilities on our website or services(under scope). We acknowledge the role of independent security researchers in overall security.

For the security of our users and service, we ask that you do not share details of the suspected vulnerability publicly or with any third party.

Reporting a Security Vulnerability

Whether it is a low-severity vulnerability or a critical one, forward us your findings at TO THE NEW is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us. Irrespective of the severity of the vulnerability, we would be happy to put your name in our Hall Of Fame. We thank all security researchers who are helping us to improve our overall security.

Program Rules
  • When submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure.
  • A submission that does not meet these requirements may not qualify for the Hall of Fame
  • The following attributes are expected in a valid submission:
    • Description of the vulnerability
    • Steps for reproducing the vulnerability. If we cannot reliably reproduce the issue, we cannot fix it
    • Impact of the vulnerability with an exploit scenario
    • Proof of concept
In Scope & Out of Scope Targets

All parts of our website ( available to customers/guests are in scope and are our primary interest.

TO THE NEW uses a number of third-party providers and services. Our disclosure program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed on a case-by-case basis.

Not applicable vulnerabilities

Please refrain from sending us a report on the below issues. Even if they are reproducible, we consider them as Informational and not a security vulnerability.

  • Presence of banner or version information
  • OPTIONS / TRACE HTTP method enabled
  • “Advisory” or “Informational” reports such as user enumeration
  • Vulnerabilities requiring physical access to a system
  • Missing CAPTCHAs
  • Default web server pages
  • Brute-force attacks
  • Content injection
  • Hyperlink injection in emails
  • Missing SPF/DMARC records
  • Content Spoofing
  • Issues relating to password policy
  • Full-path disclosure
  • Version number information disclosure
  • XML.RPC being accessible publicly (Or enumeration using XML.RPC)
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Issues on 3rd-party subdomains/domains of services we use. Please report those issues to the appropriate service.
  • Reports related to the security-related headers: Strict Transport Security (HSTS) – XSS mitigation headers (X-Content-Type and X-XSS-Protection) – X-Content-Type-Options – Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Click-jacking (without a valid exploit)
  • DOS vulnerabilities
  • Any theoretical issue, which does not seem to be exploitable
Our Offices
  • Singapore (HQ)
    60 Paya Lebar Road,
    #11-06, Paya Lebar Square, Singapore - 409051
    Tel: +91 120 4601800
  • Delhi NCR
    NSL Techzone, Sector 144,
    Noida, Uttar Pradesh -  201306, India
    Tel: +91 120 4601800
  • New Jersey
    101 Hudson Street,
    #2100, Jersey City, New Jersey - 07302
    Tel: +1 (201) 633-2314
  • Sydney
    Level 35, International Tower One,
    100 Barangaroo Avenue, NSW - 2000, Sydney
    Tel: +61 2 81144479
  • Dubai
    Sentro Business Center,
    1107, Sheikh Zayed Road, Dubai
    Tel: +971 4 3999496
  • Dehradun
    Chrysler Tech Centre, Doon IT Park,
    Sahastradhara Rd, Dehradun, Uttarakhand - 248001
    Tel: +91 120 4601800
Write to Us