Skip Navigation or Skip to Content

Tosi has been acknowledged as a Representative Vendor in the Gartner® Market Guide for CPS Secure Remote Access,

published February 2026. Read the News

Gartner® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.
Vulnerability Disclosure Policy — Tosi
Security

Vulnerability
Disclosure
Policy

Security researchers are some of our best partners. No software is airtight, and we'd rather hear about a problem from you than find out the hard way. If you spot something that looks off, we want to know.

The spirit of this program

This isn't a bug bounty — we're a small team and we don't offer financial rewards. What we do offer is a genuine thank-you, a prompt response, and the knowledge that you helped make a product that many organizations rely on a bit safer.

We ask that you approach this the same way we do: in good faith, with curiosity, and without causing harm.

Ground rules

What to do

Do

Report as soon as you find something. The earlier we know, the sooner we can fix it.
Give us a reasonable window to patch before going public — we'll work fast.
Only test against accounts you own or have explicit permission to use.
Keep it to two accounts max if you genuinely need multiple. Need more? Just ask us first.
What not to do

Don't

Launch denial-of-service attacks
Send spam
Phish or socially engineer our team or contractors
Attempt anything physical against our infrastructure

What's out of scope

Some things are known trade-offs or outside our control — reporting them won't go anywhere:

DMARC records or email configuration gaps
XSS on any domain other than control.tosi.net
XSS that only affects colleagues within the same workspace
HTTP security headers on our primary site at tosi.net
Low-signal, generic reports with no real finding behind them
Any services which are not sub-domains of tosi.net or tosibox.com
We have zero tolerance for "beg bounties". If your report reads like it was generated from a template scanner with nothing interesting to show, we won't respond and will block future contact.

Scope

TargetNotes
tosi.net

tosibox.com		Except reports related to custom HTTP headers or CSRF
control.tosi.net
IP AddressesAs listed in our Knowledgebase
Response

What to expect from us

We're a small team, so you won't hit a ticket queue with a 30-day SLA. You'll hear from a real engineer. We aim to acknowledge valid reports within a few business days and keep you in the loop as we work towards a fix.

Legal

Safe harbor

If you follow this policy, we consider your actions authorized. We won't pursue legal action against you, and if a third party tries to, we'll make it clear that you were acting in good faith and in compliance with this program.

How to report

Send your findings to security@tosi.net. For sensitive information, you can encrypt the data using our PGP Public Key at https://www.tosi.net/.well-known/security.pgp.txt.

Please include enough detail to reproduce the issue — a description of the vulnerability, steps to reproduce, and any relevant screenshots or payloads go a long way.

Thanks for looking out for us and our users. It means a lot.