Overview

At TO THE NEW, we believe in fostering a collaborative approach to security. The below listed individuals have demonstrated exceptional skills in responsibly disclosing the vulnerabilities in TTN's ecosystem. We extend our heartfelt thanks to each of them for their contributions.

For the security of our users and service, we ask that you do not share details of the suspected vulnerability publicly or with any third party.

 
Reporting a security vulnerability

If you identify a vulnerability - whether its low-severity or critical - please forward us your findings at breach@tothenew.com. TO THE NEW is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us.

 
Acknowledgment

Regardless of the vulnerability’s severity, we are happy to recognize your efforts by listing your name in our Hall of Fame. We thank all security researchers who help us improve our security standards.

 
Reporting guidelines

When submitting a potential vulnerability, please adhere to the following guidelines to ensure it is eligible for consideration:

  • Provide a detailed description of the vulnerability
  • Include steps to reproduce the issue. We cannot address vulnerabilities we cannot reliably reproduce
  • Clearly describe the impact of the vulnerability and offer an exploit scenario
  • If possible, provide a proof of concept

Submissions that do not meet these guidelines may not qualify for inclusion in our Hall of Fame.

 
In-scope & Out-of-scope

All public-facing parts of our website (https://www.tothenew.com/) are within the scope of this policy and are of primary interest to us.

TO THE NEW uses third-party services and providers. Our disclosure policy does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be evaluated on a case-by-case basis.

 
Not applicable vulnerabilities

We ask that you refrain from reporting the following types of vulnerabilities. While they may be reproducible, we consider them informational and not security issues:

  • Banner or version information disclosure
  • OPTIONS / TRACE HTTP method enabled
  • "Advisory" or "Informational" reports (e.g., user enumeration)
  • Vulnerabilities requiring physical access
  • Missing CAPTCHAs
  • Default web server pages
  • Brute-force attacks
  • Content or hyperlink injection in emails
  • Missing SPF/DMARC records
  • Content spoofing
  • Password policy issues
  • Full-path disclosure
  • XML-RPC accessibility or enumeration
  • CSRF attacks that do not require authentication
  • Issues on third-party subdomains or services
  • Security-related header reports (HSTS, XSS mitigation, etc.)
  • Click-jacking without a valid exploit
  • Denial of Service (DOS) vulnerabilities
  • Theoretical vulnerabilities that are not exploitable
 

By following this policy, you help us maintain the security of our services and user data. We greatly value your contribution in keeping TO THE NEW secure.