Security Policy

This security policy applies to the torchbox.com website and any subdomain of torchbox.com. It is the policy linked from our security.txt.

Torchbox does not have a “Bug Bounty” program. Whilst we appreciate and accept reports from anyone, and will gladly give credit to you and/or your organisation, we aren’t able to “reward” you for reporting the vulnerability.

“Beg Bounties” are ever increasing among security researchers, and it’s not something we condone or support.

We do not respond to inquiries about bug bounties and rewards.

If you believe you’ve found something on a Torchbox site which has security implications, please send a description of the issue via email to the address in security.txt.

Once you’ve submitted an issue via email, you should receive an acknowledgment from a member of the security team within 48 hours, and depending on the action to be taken, you may receive further followup emails.

To increase the chance of your issue not being ignored as a speculative, automated submission, include this sentence in your email:

"I have read Torchbox's security policy. The magic word is Stella."