This document outlines the Vulnerability Disclosure Policy for Tupl, Inc., a Delaware corporation, hereinafter “Tupl”. It details how to report potential security vulnerabilities in Tupl systems and services and includes guidelines for ethical hacking, the scope of in-scope and out-of-scope reports, and our commitment to legal protection and confidentiality for researchers. This policy ensures that vulnerabilities are reported and addressed responsibly.
If you believe you have found a security vulnerability on one of Tupl web sites or in Tupl apps, we thank you in advance for letting us know right away. We will investigate all legitimate reports and strive to address any security issues promptly.
Below you will find the best way to report a security vulnerability. If you wish to report a privacy issue, please contact our privacy officer as described on Tupl Privacy Policy.
This policy must be read and understood before any security research is conducted or any reports are submitted. Compliance with this policy is required to ensure that security vulnerabilities are reported and handled in a responsible manner, protecting both the researchers and Tupl.
Tupl does not currently offer a reward program; thus, there will not be any compensation, reward or public recognition for submittal of potential vulnerabilities.
By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against Tupl related to your submission.
If you make a good faith effort to comply with this policy during your security research, Tupl will consider your research to be authorized, will work with you to understand, and resolve the issue quickly, and Tupl will not recommend or pursue legal actions related to your research. Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorization known.
We will not pursue legal action, nor initiate a complaint to law enforcement, against the researcher operating in good faith. However, Tupl reserves all legal rights in the event of noncompliance with the Guidelines for Operating in Good Faith that follow.
Under this policy, "research" means activities in which you:
Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
When reporting potential vulnerabilities, please consider (1) realistic attack scenarios, and (2) the security impact of the behavior. Below, you will find the most common false positives. The following issues will be ignored as invalid except in rare circumstances when a clear security impact is demonstrated.
The following vulnerabilities are out of scope for submittal under the Vulnerability Disclosure Policy:
This policy applies to the following systems and services:
Any service not expressly listed above, such as any connected services, is excluded from scope and is not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy's scope and should be reported directly to the vendor according to their disclosure policy (if any). If you are not sure whether a system is in scope or not, contact us at cybersecurity.support@tupl.com before starting your research (or at the security contact for the system's domain name listed in the WHOIS).
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.
To disclose a potential vulnerability, please email to: cybersecurity.support@tupl.com. We will not share your name or contact information without express permission and will keep it confidential. If you prefer to remain anonymous, please consider using the anonymous report and feedback channel in Tupl website.
To help us triage and prioritize submissions, please provide:
Information submitted under this policy will be used for defensive purposes only to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect not only Tupl but all users of a product or service, we may share your report with the relevant cybersecurity and security agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
If your report includes a contact email address, we commit to acknowledging receipt of your vulnerability report within 5 business days and will keep you informed about the progress of our investigation and provide updates as necessary until the issue is resolved.
We request that you do not publicly disclose the details of any potential vulnerabilities without express written consent from Tupl Inc. We aim to resolve and remediate vulnerabilities promptly, and public disclosure could adversely affect customers that have not upgraded and are still running a vulnerable version.
This policy will be reviewed and updated annually or as needed to ensure it remains current with evolving security practices.