Todoer
← Back to app
Security

Vulnerability Disclosure Policy

We take security seriously. If you've found a vulnerability in Todoer, we want to hear about it. This policy outlines what's in scope, how to report, and what you can expect from us.

Program type Vulnerability Disclosure (VDP)
Rewards No monetary rewards
Response SLA Best effort
Status ● Open

Introduction

Todoer is a task management application built for everyday productivity. We are committed to ensuring the security of our users and their data. We welcome responsible disclosure from the security community and ask that researchers follow this policy when testing and reporting.

This is a Vulnerability Disclosure Program — we do not offer monetary rewards, but we genuinely appreciate the effort researchers put in and will acknowledge valid findings.

Scope

The following assets are in scope for security testing:

Asset Type Severity eligibility
entityy.site Web application Critical High Medium
*.entityy.site Subdomains Critical High Medium
API endpoints REST API Critical High Medium

Vulnerability types we're interested in

  • Authentication and authorization bypass
  • Account takeover (any technique)
  • Cross-site scripting (XSS) — stored, reflected, DOM-based
  • Cross-site request forgery (CSRF)
  • Server-side request forgery (SSRF)
  • Insecure direct object references (IDOR)
  • SQL injection or other injection attacks
  • Path traversal / arbitrary file read or write
  • Remote code execution (RCE)
  • Business logic vulnerabilities
  • Sensitive data exposure
  • Security misconfigurations with demonstrable impact
  • OAuth flow vulnerabilities

Out of scope

The following are explicitly out of scope and will not be considered valid findings:

  • Denial of service (DoS/DDoS) attacks
  • Brute force attacks without a meaningful security bypass
  • Spam or social engineering of Todoer users or staff
  • Physical attacks against infrastructure
  • Attacks requiring physical access to a victim's device
  • Missing security headers without demonstrable impact
  • Vulnerabilities in third-party services not under our control
  • Self-XSS with no viable escalation path
  • Clickjacking on pages without sensitive actions
  • CSV injection
  • Rate limiting issues without a meaningful security impact
  • Outdated software versions without a working proof of concept
  • SSL/TLS configuration issues without demonstrable impact

Testing guidelines

  • Use your own accounts. Create test accounts specifically for your research. Do not access, modify, or delete data belonging to other users.
  • Avoid destructive testing. Do not perform any action that could degrade the availability of the service for other users.
  • Do not exfiltrate data. Demonstrate the existence of a vulnerability without extracting real user data beyond what is necessary to prove impact.
  • Do not perform automated scanning at high volume. Light scanning is acceptable; aggressive automated crawling and fuzzing is not.
  • Stop at proof of concept. Once you've confirmed a vulnerability exists, do not exploit it further than necessary to demonstrate impact.
  • Act in good faith. We commit to acting in good faith toward researchers who follow this policy and expect the same in return.

How to report

Send your report to the contact email listed on this page. A good report includes:

  1. A clear description of the vulnerability and its potential impact
  2. Step-by-step reproduction instructions
  3. Proof of concept — screenshots, video, or a working payload
  4. The affected URL or endpoint
  5. Any relevant request/response data (redact sensitive info where possible)

The more detail you provide, the faster we can validate and act on your report.

What to expect from us

  • Acknowledgement. We will acknowledge receipt of your report as soon as we can.
  • Validation. We will investigate and let you know whether the report is accepted as a valid finding.
  • Transparency. We will keep you informed of progress and any decisions made regarding your report.
  • Recognition. Valid findings will be acknowledged. We may maintain a hall of fame for researchers who disclose responsibly.
  • No legal action. We will not pursue legal action against researchers who follow this policy in good faith.

Disclosure policy

We ask for a period of 90 days from the date of your initial report before public disclosure. This gives us time to validate, remediate, and deploy a fix. If you wish to disclose before 90 days have passed, please coordinate with us first.

We support coordinated disclosure and will work with you on timing if you have concerns.

Safe harbor

Todoer considers security research conducted under this policy to be authorized. We will not initiate legal action for research that complies with this policy. If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will make clear that your actions were conducted with our authorization.

Built in partnership with Nimbus Vault Nimbus Vault nimbusvault.app →
Last updated: April 2026 · Todoer Security Team ← Back to app