We take the security of Tolmo and our customers’ data seriously. If you believe you have found a vulnerability, we want to hear from you.

How to report

Send a detailed report to security@tolmo.com. Please include:

  • A clear description of the vulnerability
  • Steps to reproduce, including proof-of-concept details or screenshots if helpful
  • Potential impact and affected components
  • Your contact details if you would like credit

Scope

In scope:

  • *.tolmo.com web applications and APIs
  • Tolmo CLI
  • Authentication and authorization logic
  • Data isolation between customer organizations

Out of scope:

  • Denial-of-service attacks
  • Social engineering of Tolmo staff
  • Vulnerabilities in third-party services we depend on
  • Issues that require physical access to a user’s device or credentials

What to expect

  • Acknowledgement within 2 business days
  • Triage and severity assessment within 5 business days
  • Fix timelines based on severity: critical issues within 7 days, high severity within 30 days, and lower severity on a best-effort basis
  • Public credit with your permission once the fix is released

We do not currently offer monetary bounties, but we appreciate responsible disclosure and will do our best to keep you informed throughout the process.

Safe harbor

If you conduct security research in good faith, comply with this policy, and avoid harming users or their data, Tolmo will not pursue legal action against you. We consider good-faith research to be:

  • Testing only against accounts you own or have explicit permission to test
  • Not accessing, modifying, or deleting data belonging to other users
  • Not disrupting production services
  • Reporting the vulnerability to us before public disclosure

Last updated: June 2026.