Vulnerability Reporting

TouchBistro's Vulnerability Disclosure Policy

TouchBistro takes security very seriously and believes that the protection of customer data is a significant responsibility. TouchBistro investigates all reported vulnerabilities and genuinely values the assistance of security researchers to assist in keeping our systems secure.

Guidelines for Responsible Disclosure

TouchBistro requests that all researchers:

  • Notify TouchBistro as soon as possible upon discovery of potential security vulnerability.
  • Make a good-faith effort to avoid privacy violations, destruction of data, degradation of user experience, and disruption to production systems during security testing.
  • Only interact with accounts they own.
  • Provide a reasonable amount of time to fix the vulnerability before disclosure to the public or any third parties. Keep communication channels open to allow for effective collaboration.

If the guidelines are followed when reporting an issue, TouchBistro commits to:

  • Working with the security researcher promptly to understand and remediate the issue quickly.
  • Providing an initial confirmation of the report within 5 business days of submission.

Report a Security Vulnerability

TouchBistro requests that all researchers:

  • Send a report to VulnerabilityReporting@touchbistro.com.
  • If you feel the need to, use our PGP public key – KeyID: 7B1280C6D559F413 – to encrypt your communications.
  • Include a description of the location and potential impact of the vulnerability.
  • Provide detailed steps needed to reproduce and validate the vulnerability, supporting material (e.g. proof-of-concept, tool output, etc.).