Security Notice: We patched a vulnerability. No action is required. No malicious usage was detected. Learn more →

Security Policy

Our security policy and vulnerability disclosure program.

Updated:

1. Introduction

At ToDesktop, we take the security of our systems and customer data very seriously. This document outlines our approach to receiving and handling potential security vulnerabilities reported by external security researchers and customers.

2. Purpose

  • Provide a clear process for reporting potential vulnerabilities.
  • Encourage responsible disclosure and cooperative engagement with the security community.
  • Ensure timely and efficient handling of security-related issues.

3. Scope

This policy applies to any digital assets (web applications, APIs, infrastructure, build pipeline, update/download servers) that we directly operate. This includes assets under todesktop.com and also assets that we operate but are resolved under a customer's domain. Our open source projects are also included in this scope.

Out of Scope: Third-party websites, components, or services not controlled or operated by ToDesktop.

4. Reporting a Vulnerability

If you discover a potential security issue affecting our services, please email us immediately at:

[email protected]

If you wish to encrypt your report, please use our PGP key from our security.txt file:

5. What to Include in Your Report

To help us triage and respond quickly, please include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce the issue (proof of concept, screenshots, or code).
  • Any relevant metadata (IP addresses, timestamps, logs).

6. Our Commitments

  • We will acknowledge receipt of your report within 2 business days.
  • We will investigate and validate your report, keeping you informed of progress.
  • If the vulnerability is valid, we aim to remediate it in a timely manner.
  • We will not take legal action against researchers who follow this policy in good faith.

7. Safe Harbor

We consider activities conducted consistent with this policy to be:

  • Authorized and in good faith.
  • Within the scope of our vulnerability disclosure program.

You will not be penalized or face legal consequences if you:

  • Avoid harming user data or privacy.
  • Do not exploit the vulnerability beyond demonstrating the issue.
  • Do not publicly disclose details before we have had a reasonable opportunity to fix the issue.

8. Bug Bounties (Discretionary Rewards)

At this time, ToDesktop does not operate a formal bug bounty program. However, we may, at our discretion, offer a reward for reports that identify high-impact security vulnerabilities. Factors that influence potential rewards include:

  • Severity and exploitability of the vulnerability.
  • Potential impact on user's app builds, app updates or system integrity.
  • Quality and clarity of the report.

While we appreciate all submissions, not all reports will be eligible for a bounty. If a bounty is granted, it will be determined solely at our discretion.

9. Non-Qualifying Issues

While we appreciate all reports, below are examples of issues not in scope for our security program:

  • Outdated browser plugins or missing security headers (without demonstrated risk).
  • Social engineering of ToDesktop employees without prior authorization.
  • Denial of service (DoS) attacks or brute-force tests that affect service availability.
  • Self-XSS that solely affects the reporter's own browser or session.

10. Public Disclosure

  • Coordinated Disclosure: We encourage researchers to responsibly disclose findings privately first, giving us time to address the issue.
  • We may publicly acknowledge valid reports in an Acknowledgments section on our website, if requested.

11. Amendments and Updates

We may update this policy periodically to reflect new best practices or changes in our services. The latest version will always be accessible at:

https://www.todesktop.com/security-policy