Privacy Policy Selector

Vulnerability Disclosure Policy



Version: 1.0

Effective Date: 28.05.2026

Last Reviewed: 28.05.2026

Owner: Information Security Team

Contact: dataprotection@tonidigital.com



1. Introduction

TONI Digital Insurance Solutions AG ("the Company" or "TONI Digital") is committed to the security of its systems, services, and the data entrusted to us by our customers and partners. We recognise that security researchers and the broader community play an important role in identifying vulnerabilities that our internal processes may miss.

This Vulnerability Disclosure Policy ("Policy") sets out how we expect vulnerabilities affecting our systems and products to be reported, how we will respond, and what researchers can expect from us during the process.



2. Scope

2.1 In Scope

This Policy applies to vulnerabilities discovered in:

  • Publicly accessible web applications and APIs operated by TONI Digital
  • Company-managed infrastructure and network services (where internet-facing)
  • Mobile applications published by TONI Digital
  • Authentication and access control mechanisms for Company services
  • Third-party software or services where TONI Digital is the primary data controller

2.2 Out of Scope

The following are explicitly excluded from this Policy:

  • Systems or services operated by third-party vendors or suppliers (report these directly to the vendor)
  • Physical security vulnerabilities (e.g., tailgating, lock-picking)
  • Social engineering attacks targeting Company employees or customers
  • Denial-of-service (DoS/DDoS) attacks or testing that degrades service availability
  • Vulnerabilities in software or operating systems not under the Company's control
  • Issues that require unlikely or impractical user interaction to exploit
  • Findings based solely on automated scan output without demonstrated exploitability
  • Domains or systems not owned or operated by TONI Digital

If you are unsure whether a system is in scope, please ask before testing.



3. How to Report a Vulnerability

3.1 Reporting Channel

Submit vulnerability concerns by email to dataprotection@tonidigital.com with Subject line "IT Security concern". Please do not share any sensitive information or details - we will be in touch with you at the earliest opportunity including information on how you can transmit your findings with us in a secure and encrypted manner.


3.2 What to Include

To help us triage and investigate promptly, please include as much of the following as possible:

  • A clear description of the vulnerability and the potential impact
  • The affected system, URL, component, or product version
  • Step-by-step reproduction instructions
  • Supporting evidence such as screenshots, proof-of-concept code, or HTTP request/response logs
  • Any suggested remediation or mitigation steps
  • Your contact details (name, email, and optionally a PGP key for secure communications)

Anonymous reports are accepted, though they limit our ability to follow up with you.


3.3 Please Do Not

When researching and reporting vulnerabilities, we ask that you do not:

  • Access, modify, exfiltrate, or delete data that does not belong to you
  • Disrupt or degrade the availability of any Company service
  • Conduct testing on production systems beyond what is strictly necessary to confirm the vulnerability
  • Attempt to access accounts or data belonging to other users
  • Disclose the vulnerability to third parties before we have had a reasonable opportunity to investigate and remediate
  • Demand payment as a condition of disclosure


4. Our Commitments to Researchers

Provided you act in good faith and comply with this Policy, TONI Digital commits to the following:

  • Acknowledgement: We will acknowledge receipt of your report within 2 business days.
  • Communication: We will provide an initial assessment of validity and severity within 10 business days of receipt.
  • Updates: We will keep you informed of progress at reasonable intervals, typically no less than every 20 business days unless the investigation requires confidentiality.
  • Remediation: We will work to remediate confirmed vulnerabilities in a timeframe proportionate to their severity (see Section 5).
  • No legal action: We will not pursue legal action against researchers who comply with this Policy and act in good faith. We reserve the right to take action where this Policy is not followed.


5. Severity and Response Timelines

We classify vulnerabilities using the Common Vulnerability Scoring System (CVSS v3.1) and target the following remediation timelines from confirmed report to deployed fix:


SeverityCVSS ScoreTarget Remediation
Critical9.0 – 10.07 days
High7.0 – 8.930 days
Medium4.0 – 6.960 days
Low / Info0.1 – 3.990 days

These are targets, not guarantees. Complex vulnerabilities or those requiring significant architectural changes may take longer. We will communicate any delays to the reporting party.



6. Coordinated Disclosure

We follow the principle of coordinated disclosure. We ask that you:

  • Allow us a reasonable period to investigate and remediate the issue before any public disclosure.
  • If we are unable to remediate within the agreed period, we will discuss options with you, which may include disclosing a partial fix or a workaround alongside a public advisory.

We will not request indefinite embargoes without strong justification.



7. Bug Bounty / Reward

For disclosed security vulnerabilities in line with this policy, TONI Digital will strongly consider a reward, the height of which we will decide upon on a case by case basis.



8. Safe Harbour

TONI Digital considers good-faith security research conducted in compliance with this Policy to constitute authorised access under applicable computer fraud and misuse laws. We will not initiate or support legal action against researchers for activities that:

  • Are conducted in accordance with this Policy
  • Do not compromise the privacy, safety, or security of our customers or employees
  • Do not result in financial loss or damage to the Company or third parties
  • Are reported to us promptly

Nothing in this Policy constitutes a waiver of any legal right in the event of actions that fall outside these conditions.



9. Policy Maintenance

This Policy is owned by the Information Security Team and will be reviewed at least annually or following any significant change to the Company's products or services. The latest version is always available at tonidigital.com/vulnerabilitydisclosure.



TONI Digital thanks the security research community for helping keep our systems and customers safe.