Legal

Security

We're a cybersecurity company. We expect people to look under the hood, and we want to hear about what you find. This page is our coordinated-disclosure policy.

How to report

Email paul@toolhall.com with a clear description of the issue and enough detail that we can reproduce it. Please include:

  • The vulnerable URL, endpoint, or component.
  • Steps to reproduce, with example payloads where relevant.
  • Impact — what an attacker could do with this.
  • Your name or handle (if you'd like credit).

We'll acknowledge your report within three business days and keep you updated as we investigate and remediate.

Scope

In scope:

  • This website and its subdomains.
  • ScamSnap applications and APIs (once released).
  • Any ToolHall-operated infrastructure that processes user data.

Out of scope:

  • Third-party services we don't operate (hosting providers, font CDNs, etc.).
  • Social-engineering attacks against our staff, contractors, or customers.
  • Physical attacks or attacks requiring physical access.
  • Denial-of-service testing, volumetric attacks, or resource-exhaustion.
  • Reports generated exclusively by automated scanners without analysis.

Safe harbor

If you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you for your research. Good faith means:

  • You only access data or accounts that are clearly your own.
  • You stop testing the moment you confirm a vulnerability.
  • You give us a reasonable window to fix the issue before disclosing publicly.
  • You do not exfiltrate, modify, or destroy data.

Disclosure timeline

We aim to remediate valid reports within 90 days of confirmation. We coordinate public disclosure with the reporter once a fix is shipped.

What we don't do

  • We do not currently run a paid bug-bounty program.
  • We will not ask you to sign an NDA as a condition of reporting.
  • We do not treat the act of reporting, by itself, as a hostile act.

Recognition

Researchers who report valid, in-scope issues in good faith will be listed here with permission. No list yet — want to be first?

PGP

A PGP key for sensitive reports is available on request. Email paul@toolhall.com and we'll reply with the fingerprint.

Last updated: 2026-04-18