FORTOXA
Responsible disclosure

Reporting a vulnerability

If you've found a security issue in Fortoxa, we want to hear from you. This policy explains how to report safely, what we'll do, and what we ask of you.

Last updated: 2026-04-19

In scope

  • fortoxa.com and app.fortoxa.com
  • Fortoxa's public API (api.fortoxa.com)
  • Official Fortoxa integrations and worker infrastructure

Allowed

  • Testing on your own tenant/workspace only
  • Non-destructive proof-of-concept up to the point of demonstrating impact
  • Reporting over encrypted channels with enough detail to reproduce

Not allowed

  • Denial of service, volumetric testing, or load generation
  • Social engineering Fortoxa staff, customers or partners
  • Testing against other customers' tenants
  • Public disclosure before we've fixed and agreed a timeline
  • Destructive actions, data exfiltration, or tampering with other users' data

What we commit to

  • Acknowledge receipt within 2 business days.
  • Triage and assign severity within 5 business days.
  • Agree a remediation timeline with you for anything High or Critical.
  • Credit you publicly when the issue is resolved, if you want us to.
  • Safe harbour: we will not pursue legal action for research conducted in line with this policy.

How to report

Email [email protected] with a clear title, steps to reproduce, impact assessment, and any proof-of-concept artefacts. If you can't send over plaintext email, say so in the subject line and we'll move to an encrypted channel.

Not a researcher? For general security questions or concerns about your account, please use the contact form.