Responsible Disclosure Policy

Help us strengthen security through responsible vulnerability reporting.
Security at TO THE NEWReporting a vulnerabilityWhat to include in your reportScope of this policyNon-qualifying / Informational findingsDisclosure guidelinesRecognition - Hall of FameContact & next steps
Security at TO THE NEW

At TO THE NEW, security is embedded into everything we build and operate. We follow a secure-by-design approach, ensuring our platforms, applications, and infrastructure are continuously monitored, tested, and improved. 

We recognize and value the role of security researchers, ethical hackers, and the broader community in helping identify vulnerabilities and strengthen our systems. This Responsible Disclosure Policy defines how vulnerabilities can be reported, assessed, and resolved in a coordinated, transparent, and secure manner.

Reporting a vulnerability

If you discover a security vulnerability, please report it to: breach@tothenew.com.

We encourage reporting of all valid vulnerabilities, regardless of severity, and commit to evaluating each submission in a timely and structured manner.

What to include in your report

To help us efficiently validate and remediate the issue, please include:

  • Detailed description of the vulnerability
  • Exact location (URL, endpoint, system)
  • Step-by-step reproduction instructions
  • Proof of Concept (PoC), if applicable
  • Potential impact and exploit scenarios

This aligns with industry-standard reporting expectations followed by leading enterprises.

Scope of this policy

In scope

This policy applies to all public-facing assets under www.tothenew.com. We prioritize vulnerabilities that impact confidentiality, integrity, or availability of systems and data.

In scope

The following are not covered under this policy:

  • Third-party systems, platforms, or services
  • Vendor-managed infrastructure or integrations

If a vulnerability involves a third-party system, please report it directly to the respective provider.

Non-qualifying / Informational findings

To maintain focus on impactful issues, the following are generally considered out of scope:

  • Banner or version information disclosure
  • OPTIONS / TRACE HTTP method enabled
  • "Advisory" or "Informational" reports (e.g., user enumeration)
  • Vulnerabilities requiring physical access
  • Missing CAPTCHAs
  • Default web server pages
  • Brute-force attacks
  • Content or hyperlink injection in emails
  • Missing SPF/DMARC records
  • Content spoofing
  • Password policy issues
  • Full-path disclosure
  • XML-RPC accessibility or enumeration
  • CSRF attacks that do not require authentication
  • Issues on third-party subdomains or services
  • Security-related header reports (HSTS, XSS mitigation, etc.)
  • Click-jacking without a valid exploit
  • Denial of Service (DOS) vulnerabilities
  • Theoretical vulnerabilities that are not exploitable

Reports in these categories may not be prioritized or eligible for recognition.

Disclosure guidelines
  • Do not publicly disclose vulnerabilities before remediation
  • Allow reasonable time for resolution
  • Coordinate with our team before sharing findings

This ensures user safety and aligns with responsible disclosure standards followed globally.

Recognition - Hall of Fame

We value contributions from the security community.

  • Valid reports are acknowledged in our Hall of Fame
  • Recognition is based on quality, impact, and adherence to guidelines
  • We currently do not offer monetary rewards
Contact & next steps

If you believe you’ve discovered a vulnerability: breach@tothenew.com

By reporting responsibly, you help us create a safer digital ecosystem for our users, partners, and clients.