Vulnerability Disclosure Policy

1. About this document

This document outlines the Vulnerability Disclosure Policy for Tupl, Inc., a Delaware corporation, hereinafter “Tupl”. It details how to report potential security vulnerabilities in Tupl systems and services and includes guidelines for ethical hacking, the scope of in-scope and out-of-scope reports, and our commitment to legal protection and confidentiality for researchers. This policy ensures that vulnerabilities are reported and addressed responsibly.

If you believe you have found a security vulnerability on one of Tupl web sites or in Tupl apps, we thank you in advance for letting us know right away. We will investigate all legitimate reports and strive to address any security issues promptly.

Below you will find the best way to report a security vulnerability. If you wish to report a privacy issue, please contact our privacy officer as described on Tupl Privacy Policy.

This policy must be read and understood before any security research is conducted or any reports are submitted. Compliance with this policy is required to ensure that security vulnerabilities are reported and handled in a responsible manner, protecting both the researchers and Tupl.

2. Rewards

Tupl does not currently offer a reward program; thus, there will not be any compensation, reward or public recognition for submittal of potential vulnerabilities.

By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against Tupl related to your submission.

3. Authorization

If you make a good faith effort to comply with this policy during your security research, Tupl will consider your research to be authorized, will work with you to understand, and resolve the issue quickly, and Tupl will not recommend or pursue legal actions related to your research. Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorization known.

We will not pursue legal action, nor initiate a complaint to law enforcement, against the researcher operating in good faith. However, Tupl reserves all legal rights in the event of noncompliance with the Guidelines for Operating in Good Faith that follow.

4. Guidelines for operating in good faith

Under this policy, "research" means activities in which you:

• Notify us as soon as possible after discovering a real or potential security issue
• Avoid disruptive actions against Tupl systems. Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
• Keep the information related to the discovered vulnerability confidential
• Avoid privacy violations or any destruction, modification or exfiltration of Tupl data
• Use exploits only to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems
• Do not submit low-quality reports

Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

5. Out of Scope Reports and Ineligible Findings

When reporting potential vulnerabilities, please consider (1) realistic attack scenarios, and (2) the security impact of the behavior. Below, you will find the most common false positives. The following issues will be ignored as invalid except in rare circumstances when a clear security impact is demonstrated.

The following vulnerabilities are out of scope for submittal under the Vulnerability Disclosure Policy:

• Spam or social engineering techniques (e.g. phishing, vishing, etc.)
• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
• Brute force credential compromise
• Theoretical vulnerabilities that require unlikely user interaction or circumstances (e.g. only affecting users of unsupported or EoL browsers or OS)
  • Content spoofing and text injection issues (e.g. content injection posting content on Tupl websites)
  • Broken link hijacking, tabnabbing
  • Attacks requiring physical access to a device (unless explicitly in scope)
  • Self-exploitation, such as self-XSS or self-DoS (unless it can be used to attack a different account)
• Theoretical vulnerabilities with no demonstrated real-world security impact. For example:
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on forms with no sensitive actions (e.g., Logout)
  • Permissive CORS configurations without demonstrated security impact
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Comma Separated Values (CSV) injection
  • Open redirects (unless you can demonstrate additional security impact)
• Optional security hardening steps / Missing best practices. For example:
  • SSL/TLS Configurations
  • Lack of SSL Pinning
  • Lack of jailbreak detection in mobile apps
  • Cookie handling (e.g., missing HttpOnly/Secure flags)
  • Content-Security-Policy configuration opinions
  • Optional email security features (e.g., SPF/DKIM/DMARC configurations)
  • Most issues related to rate limiting
• Vulnerabilities that may require hazardous testing. This type of testing must never be attempted unless explicitly authorized:
  • Issues relating to excessive traffic/requests (e.g. DoS, DDoS)
  • Any other issues where testing may affect the availability of systems
  • Social engineering attacks (e.g. phishing, opening support requests)
  • Attacks that are noisy to users or admins (e.g. spamming notifications or forms)
  • Attacks against physical facilities or device theft
• Any other non-technical vulnerability testing

6. Systems in Scope

This policy applies to the following systems and services:

• *.agroadvisor.com
• *.tupl.com
• *.tupl.io
• *.tuplos.com

Any service not expressly listed above, such as any connected services, is excluded from scope and is not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy's scope and should be reported directly to the vendor according to their disclosure policy (if any). If you are not sure whether a system is in scope or not, contact us at cybersecurity.support@tupl.com before starting your research (or at the security contact for the system's domain name listed in the WHOIS).

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.

7. Contact Information

To disclose a potential vulnerability, please email to: cybersecurity.support@tupl.com. We will not share your name or contact information without express permission and will keep it confidential. If you prefer to remain anonymous, please consider using the anonymous report and feedback channel in Tupl website.

To help us triage and prioritize submissions, please provide:

• Site, product or service name and affected versions when applicable
• An identified host or its network interface
• Description of the issue
• Timeline or temporal information on when the vulnerability was discovered
• Class or type of vulnerability, optionally using a taxonomy like CWE (Common Weakness Enumeration)
• Root cause (or CVE if known)
• Proof-of-concept code or other substantial evidence (scripts, screenshots, etc.)
• Tools and steps to reproduce the vulnerable behavior
• Impact and severity estimate
• any information you consider necessary to locate and resolve the vulnerability as quickly and efficiently as possible
• If possible, emails in English are preferred.

Information submitted under this policy will be used for defensive purposes only to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect not only Tupl but all users of a product or service, we may share your report with the relevant cybersecurity and security agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

8. Response Time

If your report includes a contact email address, we commit to acknowledging receipt of your vulnerability report within 5 business days and will keep you informed about the progress of our investigation and provide updates as necessary until the issue is resolved.

9. Public Disclosure

We request that you do not publicly disclose the details of any potential vulnerabilities without express written consent from Tupl Inc. We aim to resolve and remediate vulnerabilities promptly, and public disclosure could adversely affect customers that have not upgraded and are still running a vulnerable version.

10. Policy Revoew and Updates

This policy will be reviewed and updated annually or as needed to ensure it remains current with evolving security practices.