Report Security Issues

At ToyicoKids, we take the security of our platform seriously. If you’ve discovered a security vulnerability in our systems, we appreciate your help in reporting it responsibly. By following the principles below, you can help us keep our users and systems safe — and we will not pursue legal action or enforcement against you for your responsible disclosure.

🔐 Responsible Disclosure Guidelines

To qualify for safe harbor and a potential reward, please ensure the following:

  1. Give us reasonable time to respond and remediate the issue before making any information public or sharing details with third parties.
  2. Do not interact with or compromise private accounts without the explicit consent of the account owner.
  3. Avoid privacy violations and service disruptions, including data deletion, service degradation, or unauthorised access.
  4. Do not exploit the vulnerability beyond what is necessary to demonstrate the issue. This includes refraining from attempting to access sensitive company data or probing for additional issues without consent.
  5. Comply with all applicable laws and regulations during your testing.

🏆 Bug Bounty Program

We value the efforts of security researchers and offer monetary rewards for valid vulnerability reports at our discretion. Bounty amounts depend on the severity, impact, and quality of the report.

To be eligible for a bounty, you must:

  1. Follow the Responsible Disclosure Guidelines listed above.
  2. Report a valid security vulnerability that poses a privacy or security risk to ToyicoKids, its users, or its infrastructure.
  3. Submit your report through our official security contact channel — please do not contact employees directly.
  4. Immediately disclose any accidental privacy violations (e.g., accessing confidential account data or configurations) in your report.
  5. Allow us reasonable time to evaluate your submission. Due to the volume of reports, responses may be delayed, and we prioritize reports based on severity.
  6. Acknowledge that we reserve the right to publish accepted vulnerability reports (with appropriate credit, where possible).

🎁 Rewards Breakdown

Our bounty amounts are based on severity, reproducibility, and potential impact. These are maximum payout amounts, and the actual reward is at our discretion.

Severity Level Reward (Up To) Examples
Critical £200 - Remote Code Execution (RCE)
- Full account access
- SQL Injection leaking sensitive data
- Privilege escalation to admin
High £100 - Cross-site Scripting (XSS) affecting other users
- Lateral authentication bypass
- Insecure handling of session cookies
- Local file inclusion
Medium £50 - Logic flaws or business process vulnerabilities
- Insecure object references
Low Discretionary

- Open redirects
- Reflective XSS
- Minor information disclosure

 

📋 Report Quality Expectations

To ensure your report is eligible for a reward:

  1. Provide clear, detailed, and reproducible steps. Reports lacking sufficient detail may not qualify.
  2. In the case of duplicate reports, only the first valid, reproducible submission will be eligible for a reward.
  3. Multiple issues stemming from a single root cause will be treated as one vulnerability.
  4. The bounty decision will be based on impact, exploitability, and overall report quality.

📮 Submitting a Report

If you believe you’ve found a security issue in ToyicoKids, please report it responsibly by emailing:
📧 security@toyicokids.com