Tonic AudioResponsible Disclosure Policy

Scope

This policy applies to:

• All publicly accessible endpoints and interfaces of Tonic Audio
• Web applications, APIs, and infrastructure managed by Tonic Audio Inc.
• Services under the *.tonicaudio.com, *.tnic.io, and *.tonic.audio domains

Out of scope:

• Social engineering of our employees or contractors
• Physical attacks or threats
• Denial of service (DoS) attacks
• Any vulnerability that only affects outdated or unsupported browsers or platforms

Guidelines

To protect our users and services, we ask that you:

• Report vulnerabilities as soon as you discover them.
• Avoid accessing or modifying data that does not belong to you.
• Do not use automated scanners that may degrade service performance.
• Provide us with adequate time to investigate and resolve the issue.
• Do not disclose the vulnerability publicly before it is resolved.

How to Report

Please send your findings through our contact form. Include:

• A clear description of the vulnerability.
• Steps to reproduce the issue.
• Any relevant evidence (screenshots, logs, etc.).
• Your contact information (if you'd like to be acknowledged).

We will acknowledge receipt of your report within 3 business days and will work with you to understand and resolve the issue.

Recognition

We appreciate the contributions of security researchers. If you responsibly disclose a valid vulnerability, and you follow this policy, we offer:

• Optional public recognition on our Security Hall of Fame page (with your consent).
• A certificate of appreciation upon request.

Please note that we do not offer monetary rewards or bug bounties at this time.

Legal Safe Harbor

If you act in good faith and in accordance with this policy:

• We will not initiate legal action against you.
• We will consider your research to be authorized under applicable laws.

Updates

We may update this policy at any time. The latest version will always be available at this link