At TO THE NEW, protection of our clients and guests data is a top priority. We are committed to the privacy and security of our user’s data.
But yes, vulnerabilities are inevitable. Thus, we invite security professionals to test for any vulnerabilities on our website or services(under scope). We acknowledge the role of independent security researchers in overall security.
For the security of our users and service, we ask that you do not share details of the suspected vulnerability publicly or with any third party.
Whether it is a low-severity vulnerability or a critical one, forward us your findings at firstname.lastname@example.org. TO THE NEW is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us. Irrespective of the severity of the vulnerability, we would be happy to put your name in our Hall Of Fame. We thank all security researchers who are helping us to improve our overall security.
- When submitting potential vulnerabilities, we ask that you follow our guidelines for disclosure.
- A submission that does not meet these requirements may not qualify for the Hall of Fame
- The following attributes are expected in a valid submission:
- Description of the vulnerability
- Steps for reproducing the vulnerability. If we cannot reliably reproduce the issue, we cannot fix it
- Impact of the vulnerability with an exploit scenario
- Proof of concept
All parts of our website (https://www.tothenew.com/) available to customers/guests are in scope and are our primary interest.
TO THE NEW uses a number of third-party providers and services. Our disclosure program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed on a case-by-case basis.
Please refrain from sending us a report on the below issues. Even if they are reproducible, we consider them as Informational and not a security vulnerability.
- Presence of banner or version information
- OPTIONS / TRACE HTTP method enabled
- “Advisory” or “Informational” reports such as user enumeration
- Vulnerabilities requiring physical access to a system
- Missing CAPTCHAs
- Default web server pages
- Brute-force attacks
- Content injection
- Hyperlink injection in emails
- Missing SPF/DMARC records
- Content Spoofing
- Issues relating to password policy
- Full-path disclosure
- Version number information disclosure
- XML.RPC being accessible publicly (Or enumeration using XML.RPC)
- CSRF-able actions that do not require authentication (or a session) to exploit
- Issues on 3rd-party subdomains/domains of services we use. Please report those issues to the appropriate service.
- Reports related to the security-related headers: Strict Transport Security (HSTS) – XSS mitigation headers (X-Content-Type and X-XSS-Protection) – X-Content-Type-Options – Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
- Click-jacking (without a valid exploit)
- DOS vulnerabilities
- Any theoretical issue, which does not seem to be exploitable