-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecurity-policy.html
More file actions
271 lines (262 loc) · 12.1 KB
/
security-policy.html
File metadata and controls
271 lines (262 loc) · 12.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>Security Policy | ToppyMicroServices</title>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<meta name="description" content="Coordinated vulnerability disclosure policy for ToppyMicroServices, including scope, reporting process, timelines, and safe harbor commitments." />
<meta name="robots" content="index,follow,max-image-preview:large" />
<meta name="theme-color" content="#0b1221" />
<meta name="color-scheme" content="dark light" />
<link rel="canonical" href="https://www.toppymicros.com/security-policy.html" />
<link rel="icon" href="/favicon.ico" sizes="any">
<link rel="icon" type="image/png" href="/favicon-32.png" sizes="32x32">
<link rel="apple-touch-icon" href="/apple-touch-icon.png" sizes="180x180">
<meta property="og:type" content="website" />
<meta property="og:title" content="Security Policy | ToppyMicroServices" />
<meta property="og:description" content="Coordinated vulnerability disclosure and safe harbor policy for ToppyMicroServices." />
<meta property="og:url" content="https://www.toppymicros.com/security-policy.html" />
<meta property="og:site_name" content="ToppyMicroServices" />
<meta property="og:image" content="https://www.toppymicros.com/og-brand-clean.png" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:title" content="Security Policy | ToppyMicroServices" />
<meta name="twitter:description" content="Coordinated vulnerability disclosure and safe harbor policy for ToppyMicroServices." />
<meta name="twitter:image" content="https://www.toppymicros.com/og-brand-clean.png" />
<style>
:root {
--bg: #0b1221;
--fg: #e6e9f2;
--muted: #a7b0c3;
--card: #121a2e;
--accent: #5aa7ff;
--accent-2: #72e5b6;
--border: #1b2540;
--glow-1: rgba(90,167,255,0.18);
--glow-2: rgba(114,229,182,0.12);
--maxw: 1040px;
}
@media (prefers-color-scheme: light) {
:root {
--bg: #ffffff;
--fg: #0b1221;
--muted: #5b667a;
--card: #f7f9fc;
--accent: #0056cc;
--accent-2: #088a5b;
--border: #e6e9f2;
--glow-1: rgba(0,86,204,0.10);
--glow-2: rgba(8,138,91,0.10);
}
}
* { box-sizing: border-box; }
html, body { margin: 0; padding: 0; }
body {
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, system-ui, sans-serif;
background:
radial-gradient(1000px 600px at 18% -10%, var(--glow-1), transparent 60%),
radial-gradient(900px 500px at 88% 0%, var(--glow-2), transparent 55%),
var(--bg);
color: var(--fg);
line-height: 1.65;
}
a { color: var(--accent); text-decoration: none; }
a:hover { text-decoration: underline; }
a:focus-visible, .btn:focus-visible { outline: 2px solid var(--accent); outline-offset: 2px; }
code {
font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
font-size: 0.95em;
padding: 0.12em 0.35em;
border-radius: 8px;
border: 1px solid var(--border);
background: color-mix(in hsl, var(--card) 72%, var(--bg) 28%);
}
.container { max-width: var(--maxw); margin: 0 auto; padding: 24px; }
header { position: sticky; top: 0; z-index: 20; border-bottom: 1px solid var(--border); backdrop-filter: blur(8px) saturate(150%); background: color-mix(in hsl, var(--bg) 88%, transparent); }
.nav { display: flex; align-items: center; justify-content: space-between; gap: 16px; }
.brand { display: inline-flex; align-items: center; gap: 8px; color: var(--fg); font-weight: 700; letter-spacing: .2px; white-space: nowrap; }
.brand-logo { height: 28px; width: auto; border-radius: 6px; }
.links { display: flex; gap: 14px; align-items: center; flex-wrap: wrap; font-size: 13px; }
.links a { color: var(--fg); opacity: .9; }
.btn {
display: inline-block;
padding: 8px 14px;
border-radius: 10px;
border: 1px solid var(--border);
background: var(--card);
color: var(--fg);
font-weight: 600;
}
.btn:hover { border-color: var(--accent); text-decoration: none; }
.btn.primary {
background: linear-gradient(90deg, var(--accent), var(--accent-2));
color: #0b1221;
border: none;
}
main { padding-bottom: 32px; }
.hero { padding: 52px 0 24px; }
.eyebrow { margin: 0 0 10px; font-size: 12px; letter-spacing: .14em; text-transform: uppercase; color: var(--accent-2); font-weight: 700; }
h1 { font-size: clamp(30px, 4vw, 44px); line-height: 1.2; margin: 0 0 12px; }
h2 { font-size: 22px; margin: 0 0 10px; }
h3 { font-size: 18px; margin: 0 0 8px; }
p { margin: 0 0 10px; }
.lead { max-width: 780px; font-size: 17px; color: var(--muted); margin: 0 0 14px; }
.hero-actions { display: flex; gap: 10px; flex-wrap: wrap; margin-top: 14px; }
section { padding: 28px 0; border-top: 1px solid var(--border); }
.section-kicker { margin: 0 0 8px; font-size: 12px; letter-spacing: .12em; text-transform: uppercase; color: var(--accent-2); font-weight: 700; }
.section-lead { color: var(--muted); margin: 0 0 14px; max-width: 760px; }
.grid { display: grid; gap: 16px; }
.card {
padding: 18px;
border: 1px solid var(--border);
border-radius: 14px;
background: var(--card);
}
.muted { color: var(--muted); }
ul, ol { margin: 0; padding-left: 20px; }
li + li { margin-top: 8px; }
footer { border-top: 1px solid var(--border); color: var(--muted); font-size: 14px; }
.footer-row { display: flex; align-items: center; gap: 10px; }
.footer-logo { height: 28px; width: auto; border-radius: 6px; }
.footer-links { display: flex; gap: 12px; flex-wrap: wrap; margin-top: 10px; }
@media (min-width: 760px) {
.grid.two { grid-template-columns: repeat(2, minmax(0, 1fr)); }
}
@media (max-width: 760px) {
.nav { flex-wrap: wrap; }
.links { width: 100%; }
}
</style>
<script defer data-domain="toppymicros.com" data-auto="false" src="https://plausible.io/js/script.tag"></script>
<script defer src="/assets/global.js"></script>
</head>
<body>
<header>
<nav class="container nav" aria-label="Main">
<a href="/" class="brand" aria-label="Home">
<img src="216722720.png" alt="ToppyMicroServices logo" class="brand-logo" width="28" height="28" decoding="async" fetchpriority="high">
<span>ToppyMicroServices OÜ</span>
</a>
<div class="links">
<a href="/#services">Services</a>
<a href="/#proof">Proof</a>
<a href="/#products">Products</a>
<a href="/#about">Company</a>
<a href="/contact.html" class="btn">Contact</a>
</div>
</nav>
</header>
<main class="container">
<section class="hero" aria-label="Security policy hero">
<p class="eyebrow">Security</p>
<h1>Security reporting and coordinated disclosure</h1>
<p class="lead">ToppyMicroServices prefers good-faith, low-impact reporting with clear reproduction steps and explicit scope. This policy covers public services under <code>toppymicros.com</code> and public GitHub repositories under <code>ToppyMicroServices</code>.</p>
<div class="hero-actions" aria-label="Primary actions">
<a class="btn primary" href="mailto:security@toppymicros.com">Report a vulnerability</a>
<a class="btn" href="/contact.html">Open contact page</a>
</div>
<p class="muted">Last updated: 2026-03-20</p>
</section>
<section aria-label="Scope">
<p class="section-kicker">Scope</p>
<h2>What this policy covers</h2>
<div class="grid two">
<div class="card">
<h3>In scope</h3>
<p>Publicly reachable assets under the <code>toppymicros.com</code> domain and public GitHub repositories under <code>ToppyMicroServices</code>.</p>
</div>
<div class="card">
<h3>Out of scope</h3>
<p>Internal systems, personal accounts, third-party platforms, and reports that do not show a clear exploit path.</p>
<ul>
<li>Best-practice recommendations without a demonstrable vulnerability.</li>
<li>Missing headers that do not enable a direct security issue.</li>
<li>Self XSS or issues that require browser or devtools tampering.</li>
<li>Volumetric denial-of-service attacks.</li>
</ul>
</div>
</div>
</section>
<section aria-label="Reporting process">
<p class="section-kicker">Reporting</p>
<h2>How to send a useful report</h2>
<div class="grid two">
<div class="card">
<h3>Send reports to</h3>
<p><a href="mailto:security@toppymicros.com">security@toppymicros.com</a></p>
<p class="muted">A concise report is better than a long one. Start with the affected asset, the vulnerability class, and the impact.</p>
</div>
<div class="card">
<h3>Include these details</h3>
<ol>
<li>Vulnerability description and affected asset.</li>
<li>Reproduction steps or a minimal proof of concept.</li>
<li>Impact assessment.</li>
<li>Suggested remediation, if you have one.</li>
</ol>
</div>
</div>
</section>
<section aria-label="Working model">
<p class="section-kicker">Working model</p>
<h2>Researcher commitments and our commitments</h2>
<div class="grid two">
<div class="card">
<h3>What we ask from researchers</h3>
<ul>
<li>Do not exfiltrate more data than needed to prove the issue.</li>
<li>Do not access, modify, or delete user data.</li>
<li>Do not disrupt services or degrade availability.</li>
<li>Give us a reasonable remediation window before disclosure.</li>
<li>Act in good faith and comply with applicable law.</li>
</ul>
</div>
<div class="card">
<h3>What you can expect from us</h3>
<ul>
<li>Acknowledgement within 5 business days.</li>
<li>An initial triage result after validation.</li>
<li>Meaningful updates during remediation.</li>
<li>Public thanks after resolution if you want it.</li>
</ul>
</div>
</div>
</section>
<section aria-label="Triage and disclosure">
<p class="section-kicker">Triage and disclosure</p>
<h2>Severity, timeline, and safe harbor</h2>
<div class="grid two">
<div class="card">
<h3>Severity and prioritization</h3>
<p>We loosely map impact to confidentiality, integrity, and availability. Critical issues affecting user data or enabling remote code execution receive highest priority. Informational issues may be tracked without immediate action.</p>
<h3>Timeline</h3>
<p>We aim to remediate most valid issues within 30 days. Complex architectural issues may require up to 60 days if meaningful progress is underway.</p>
</div>
<div class="card">
<h3>Safe harbor</h3>
<p>If you make a good-faith effort to follow this policy, we will not pursue legal action. Stop once the issue is demonstrated. Avoid persistence, lateral movement, or privilege escalation beyond what is strictly necessary.</p>
<h3>Hall of thanks</h3>
<p>We may publish opt-in acknowledgements for researchers who help improve our security posture. Tell us if you prefer anonymity.</p>
</div>
</div>
<p class="muted">Version history: 2025-11-12 initial public version; 2026-03-20 tone and structure update.</p>
</section>
</main>
<footer>
<div class="container">
<div class="footer-row">
<img src="216722720.png" alt="ToppyMicroServices logo" class="footer-logo" width="28" height="28" loading="lazy" decoding="async">
<div>© 2026 ToppyMicroServices OÜ</div>
</div>
<div>Karamelli tn 2, 11317 Tallinn, Harju County, Estonia</div>
<div>Registry code: 16551297</div>
<div class="footer-links" aria-label="Legal links">
<a href="/">Home</a>
<a href="/contact.html">Contact</a>
<a href="/security-policy.html">Security Policy</a>
<a href="/privacy-policy.html">Privacy Policy</a>
<a href="/terms-legal-notice.html">Terms / Legal Notice</a>
</div>
</div>
</footer>
</body>
</html>