Vulnerability Disclosure & Bug Bounty Program

1. Scope

In scope

• The production API and dashboard at thetokencompany.com and *.thetokencompany.com.
• First-party SDKs and code samples published in our public GitHub organization.
• Authentication, authorization, and tenant isolation in the compression service.
• Findings that demonstrate unauthorized access to customer data, leakage of customer prompts, account takeover, or privilege escalation.

Out of scope

• Marketing pages and third-party services (e.g., the support portal, status page, our payment processor).
• Findings that require physical access, social engineering of staff, or compromise of a customer’s own environment.
• Theoretical issues without a practical proof of concept (e.g., reports of “missing” headers without a demonstrated impact, weak ciphers absent a real-world attack).
• Denial-of-service findings beyond noting a missing rate limit — do not run sustained DoS, fuzzers, or scanners against production.
• Reports about the inherent behavior of large language models (e.g., a model produced surprising output) unless tied to a security boundary failure in our service.

2. Rules of Engagement

• Test only against accounts you own. Use the free or trial tier; do not test against another customer’s tenant.
• Do not access, modify, or store customer data, prompts, or ePHI. If you encounter such data accidentally, stop, delete any local copies, and include the steps in your report.
• Avoid actions that would degrade service for our customers or affect their data integrity.
• Do not publicly disclose a vulnerability before we have had a reasonable opportunity to remediate (90 days, or sooner if we agree).
• Comply with applicable laws. Activity within the rules of this policy is authorized; we will not pursue legal action against good-faith research that follows the rules.

3. How to Report

Email rasmus@thetokencompany.com from your normal address. PGP is available on request. Include:

• A clear description of the issue and the impact.
• Step-by-step reproduction, with the exact request, response, and any code or configuration needed.
• The affected URL, endpoint, version, or account ID (your own).
• Your researcher handle, if you’d like recognition in our acknowledgements.

4. What to Expect From Us

• Acknowledgement: within 2 business days.
• Triage: within 5 business days, with a severity classification and an indicative remediation timeline.
• Status updates: every 7 business days until the report is closed.
• Resolution windows (target): Critical 14 days, High 30 days, Medium 60 days, Low 90 days.
• Disclosure: we coordinate publication with you. We default to a public write-up for high-impact issues once fixed.

5. Rewards

We pay rewards for original, in-scope, reproducible findings. Payouts are at our discretion based on severity and quality of the report. Indicative ranges:

• Critical (P0): $5,000 – $20,000. RCE on production, full tenant boundary bypass, exposure of customer prompts or ePHI at scale.
• High (P1): $1,000 – $5,000. Authenticated tenant boundary issues, account takeover, exposure of secrets that grant production access.
• Medium (P2): $250 – $1,000. Limited access control issues, sensitive information leaks without direct exploitation, stored XSS in authenticated areas.
• Low (P3): $50 – $250 or recognition. Reflective issues with limited impact, configuration findings with a real-world risk.

First valid report on a unique issue qualifies; duplicates do not. Payments are made via PayPal or bank transfer (researcher’s choice). Researchers in countries subject to U.S. sanctions are not eligible.

6. Hall of Fame

With permission, we list researchers who have contributed valid findings on this page.