Sign in Subscribe

Security Vulnerability Disclosure Policy

Tophhie Cloud is committed to keeping our services secure. This policy outlines how to responsibly disclose security vulnerabilities and what you can expect from us in return.

Our Commitment to Researchers

We genuinely value the work of security researchers. If you discover a vulnerability and report it responsibly, we commit to:

  • Acknowledge your report within 3 working days
  • Investigate and keep you informed of our progress
  • Work with you to understand and resolve the issue
  • Not pursue legal action against researchers acting in good faith
  • Recognise your contribution publicly (with your permission)

Response Timeline

ℹī¸
Acknowledgment: 3 days
📋
Assessment: 14 days
✅
Resolution: 90 days

How to report

Please report all security issues via email. Include as much detail as possible - steps to reproduce, potential impact, and any proof-of-concept if applicable. Encrypted submissions are welcome.

✉ī¸
security@tophhie.cloud

Note: if you need to provide large files, or supporting evidence please let us know at the above email address and we'll provide a secure upload link.

Scope

The following assets are in scope for vulnerability reports:

  • tophhie.cloud (and subdomains)
  • tophhie.co.uk (and subdomains)
  • Tophhie Cloud API
    • api.tophhie.cloud
    • api.tophhie.dev
  • Tophhie Social
    • tophhie.social (and subdomains)
    • pds.tophhie.cloud
  • Marvelist
    • marvelist.co.uk (and subdomains)
    • App vulnerabilities
  • PrivPass
    • privpass.co.uk (and subdomains)
    • App vulnerabilities

The following are out of scope:

  • Social engineering
  • Physical attacks
  • Denial of service
  • Third-party services
  • Spam or phishing

Ground Rules

To qualify for responsible disclosure recognition, we ask that you:

  • Do not access, modify, or delete data that isn't yours
  • Do not perform actions that could impact availability of services
  • Do not disclose the vulnerability publicly before we've had a chance to address it
  • Do not use automated scanning tools against our infrastructure without prior agreement
  • Give us reasonable time to resolve the issue before any public disclosure

What we don't offer

Tophhie Cloud is a personal cloud project. We do not operate a bug bounty programme. We offer public acknowledgement and our genuine gratitude for valid, responsibly disclosed reports.