Security Disclosure
Help us keep Alltoogether secure
Responsible Disclosure Policy
At Alltoogether, security is fundamental to everything we do. We take our responsibility to protect user data seriously and welcome feedback from security researchers who want to help improve our systems.
This policy outlines how to responsibly report security vulnerabilities to us. We ask that you follow this process to give us time to address issues before public disclosure.
What to Report
We're interested in hearing about:
- Authentication or authorization vulnerabilities
- Data exposure or privacy issues
- Injection attacks (SQL injection, cross-site scripting, etc.)
- Insecure direct object references
- Security misconfiguration
- Sensitive data exposure
- Broken access control
- Using components with known vulnerabilities
- Other security issues that could impact user safety or data integrity
How to Report
Please email a detailed report to our security team:
Include the following information in your report:
- Description of the vulnerability
- Affected systems or endpoints
- Steps to reproduce the issue
- Potential impact if exploited
- Your contact information and preferred method of communication
- Whether you'd like public recognition for the disclosure
What to Expect
When you report a vulnerability to us, here's what will happen:
- We will acknowledge receipt of your report within 48 hours
- We'll confirm the vulnerability and begin working on a fix
- We'll provide updates on our progress at regular intervals
- We aim to resolve high-severity issues within 30 days
- We'll notify you when the issue has been fixed
- Coordinated disclosure allows time for a patch before public announcement
Safe Harbour
We recognize that good-faith security researchers are doing important work to help keep the internet safe. If you follow this responsible disclosure policy, you can expect the following:
- We will not pursue legal action against you for your vulnerability research
- We will not report you to law enforcement for attempting to access our systems in good faith
- We will not pursue any claims under the Computer Fraud and Abuse Act or similar laws
- We recognize that you are acting in good faith to help us improve security
This safe harbour applies provided that you:
- Do not access, use, or disclose any data beyond what is necessary to prove the vulnerability
- Do not destroy or modify any data or systems
- Do not disclose the vulnerability publicly until we've had time to fix it
- Act in good faith and without malicious intent
Scope
In Scope
We're interested in vulnerabilities affecting:
- alltoogether.com and all subdomains
- app.alltoogether.com
- API endpoints and services
- Authentication and authorization systems
- Data storage and processing infrastructure
Out of Scope
The following are not covered by this policy:
- Social engineering or phishing attacks
- Denial-of-service or distributed denial-of-service attacks
- Physical security vulnerabilities
- Third-party services and platforms we don't control
- Vulnerabilities requiring access to user accounts without authorization
- Information disclosure of non-sensitive data
- Best practice recommendations that don't represent actual security risks
Recognition
If you discover a vulnerability and help us fix it, we'd like to recognize your contribution. When we fix the issue, we're happy to:
- Include your name in our security hall of fame (if you'd like)
- Provide a public statement acknowledging your responsible disclosure
- Feature your research on our blog or security page
Recognition is completely optional - just let us know your preference when you report the vulnerability.
Questions?
If you have questions about this policy or aren't sure whether something should be reported, please reach out to security@alltoogether.com. We're happy to discuss your findings.
Thank you for helping us keep Alltoogether and our users safe.