Security

Security reporting and coordinated disclosure

ToppyMicroServices prefers good-faith, low-impact reporting with clear reproduction steps and explicit scope. This policy covers public services under toppymicros.com and public GitHub repositories under ToppyMicroServices.

Report a vulnerability Open contact page

Last updated: 2026-03-20

Scope

What this policy covers

In scope

Publicly reachable assets under the toppymicros.com domain and public GitHub repositories under ToppyMicroServices.

Out of scope

Internal systems, personal accounts, third-party platforms, and reports that do not show a clear exploit path.

  • Best-practice recommendations without a demonstrable vulnerability.
  • Missing headers that do not enable a direct security issue.
  • Self XSS or issues that require browser or devtools tampering.
  • Volumetric denial-of-service attacks.

Reporting

How to send a useful report

Send reports to

security@toppymicros.com

A concise report is better than a long one. Start with the affected asset, the vulnerability class, and the impact.

Include these details

  1. Vulnerability description and affected asset.
  2. Reproduction steps or a minimal proof of concept.
  3. Impact assessment.
  4. Suggested remediation, if you have one.

Working model

Researcher commitments and our commitments

What we ask from researchers

  • Do not exfiltrate more data than needed to prove the issue.
  • Do not access, modify, or delete user data.
  • Do not disrupt services or degrade availability.
  • Give us a reasonable remediation window before disclosure.
  • Act in good faith and comply with applicable law.

What you can expect from us

  • Acknowledgement within 5 business days.
  • An initial triage result after validation.
  • Meaningful updates during remediation.
  • Public thanks after resolution if you want it.

Triage and disclosure

Severity, timeline, and safe harbor

Severity and prioritization

We loosely map impact to confidentiality, integrity, and availability. Critical issues affecting user data or enabling remote code execution receive highest priority. Informational issues may be tracked without immediate action.

Timeline

We aim to remediate most valid issues within 30 days. Complex architectural issues may require up to 60 days if meaningful progress is underway.

Safe harbor

If you make a good-faith effort to follow this policy, we will not pursue legal action. Stop once the issue is demonstrated. Avoid persistence, lateral movement, or privilege escalation beyond what is strictly necessary.

Hall of thanks

We may publish opt-in acknowledgements for researchers who help improve our security posture. Tell us if you prefer anonymity.

Version history: 2025-11-12 initial public version; 2026-03-20 tone and structure update.