Responsible Vulnerability Disclosure Policy

Purpose

This Responsible Vulnerability Disclosure Policy (“Policy”) outlines how security researchers and members of the public (“you,” “researcher(s)”) can report potential security vulnerabilities in Toddle Services. It provides a clear and lawful way to support responsible security research and enable timely remediation.

We are committed to:

• Investigating and resolving security issues thoroughly
• Collaborating with the security community
• Responding promptly to valid reports

Please note: This policy does not grant indemnity for any actions that breach the law or violate its terms, nor does it create any indemnity obligation on the part of Toddle or any third party.

Scope of Disclosure

The following Toddle assets are currently in scope:

• Toddle Student App (iOS and Android)
• Toddle Educator App (iOS and Android)
• Toddle Family App (iOS and Android)
• toddleapp.com and all subdomains

If you are uncertain whether an asset is covered, contact Toddle before testing.

Out-of-Scope Vulnerabilities

The following are out of scope and must not be tested or reported:

• Social engineering, phishing, or physical intrusion
• Denial-of-Service (DoS/DDoS) or resource-exhaustion attacks
• Automated scanner output without a working proof-of-concept
• Missing security headers, cookie flags, or TLS settings without demonstrable exploitability
• Self-XSS or clickjacking on static or non-sensitive pages
• Email spoofing or tabnabbing without real-world exploit impact
• Content spoofing or UI redressing issues with no security impact
• Findings that depend on outdated browsers, rooted/jailbroken devices, or MITM access
• Low-impact or unauthenticated CSRF
• Lack of SPF, DKIM, or DMARC on non-email domains or subdomains
• Rate limiting issues that do not expose sensitive data or allow brute-force attacks
• Error messages or stack traces that do not lead to a direct exploit
• Insecure CORS policies that do not leak or allow access to sensitive data
• Public endpoints like xmlrpc.php or open API discovery that do not allow unauthorized access
• Vulnerabilities in platforms, tools, or plugins not used or managed by Toddle
• Any finding based solely on best practices without clear exploitability

Research Responsibilities

As long as you follow this policy and act in good faith, we consider your research authorized. We’ll work with you to understand and fix the issue. For actions to avoid, see Prohibited Activities right after this section.

• Report any real or potential security issue as soon as you discover it.
• Make every effort to avoid accessing personal data, affecting the user experience, disrupting our systems, or damaging any data
• Use exploits only to confirm that the issue exists. Please don’t use them to extract data, gain deeper access, or explore other areas of our systems
• Do not intentionally compromise the privacy, safety, or rights of any Toddle team member, user, or third party
• Do not interfere with the intellectual property or business operations of Toddle or anyone else
• If you are submitting a report on behalf of your employer or a third party, please ensure you have their written permission to do so

Handling Sensitive Data

If you inadvertently access personal or confidential data, service configurations, or cause a disruption to our systems:

• Stop testing immediately
• Do not save, copy, store, transfer, or share the data
• Contact us right away and include details of what was accessed in your report
• Support our investigation and remediation efforts

Third-Party Vulnerabilities

If the issue reported involves a third-party library, tool, or vendor, we may share relevant information with that party and, with your consent, also share your contact details to coordinate resolution.

Prohibited Activities

Researchers must not:

• Test anything that’s not listed in the Scope of this policy
• Use high-intensity invasive or destructive technical security scanning tools to find vulnerabilities.
• Share vulnerability details publicly or with others unless we’ve agreed in writing
• Use phishing, impersonation, or other social engineering tactics
• Send unsolicited messages to Toddle users or team members
• Attempt to overload or crash our systems through denial-of-service or similar attacks
• Introduce malware or other harmful code into our environment
• Run tests in a way that could disrupt, slow down, or damage Toddle’s systems
• Test or interfere with services or tools that are not owned or operated by Toddle
• Modify, delete, share, or make inaccessible any data you might come across during your testing
• Use any vulnerability to extract data, gain shell access, create backdoors, or move into other parts of our systems

Researchers must securely delete any data retrieved during testing once it is no longer required to verify the issue or within one month of resolution, whichever is earlier. Toddle will confirm when the vulnerability has been resolved so you can proceed with deletion.

How to report a Vulnerability

If you’ve found a potential vulnerability in any of our products or services, please let us know by emailing security@toddleapp.com. To help us investigate quickly and thoroughly, your submission should contain:

• A clear description of the issue, including what you discovered and why it matters
• Evidence of the vulnerability such as logs, screenshots, server responses, or other supporting information
• The tools you used to identify the vulnerability
• The date you discovered the issue
• Detailed steps to reproduce the issue
• Any relevant platforms, operating systems, app versions, or configurations
• Any related IP addresses, subdomains, or URLs involved
• Your assessment of how exploitable or impactful the issue might be
• Your name and contact information, and how you’d like to be acknowledged (if at all)

This is a private and confidential disclosure process. Please do not publish, share, or discuss any details of the vulnerability, including proof-of-concept code, without written permission from Toddle. If public disclosure becomes appropriate, we will work with you to coordinate a safe and responsible release.

If your report includes sensitive information, we recommend encrypting it before sending. If you’re unsure how to do this or need support, feel free to contact us and we’ll assist you.

After you submit your report, our security team will review and assess the issue. We will keep you updated throughout the process. Please allow us a reasonable window to investigate and resolve the issue. We ask that all communication about the report remains confidential during this time.

Researcher Recognition

We deeply appreciate the contributions of security researchers who help us make Toddle more secure. While we do not offer guaranteed rewards, if you are the first to report a valid vulnerability that leads to a confirmed fix, you may receive one of the following as a token of appreciation:

• An Amazon gift card
• Toddle-branded merchandise

Recognition is discretionary and based on the quality of the report, the severity of the issue, and its contribution to improving our security.

Eligibility Criteria

To keep our disclosure programme open and globally inclusive, please ensure that you meet all of the following conditions:

• You are at least 18 years old, or the age of majority in your country, whichever is higher
• You are not a current or recent (within the past six months) employee, intern, or contractor of Toddle
• You are not an immediate family member of a current Toddle employee or contractor
• You are not acting on behalf of a third party (such as an employer or client) unless you have written authorization from that party to submit the report
• You are not located in, or ordinarily resident in, any country or territory subject to international sanctions or export-control restrictions
• You are not listed on any international sanctions lists, watchlists, or restricted persons databases (such as those maintained by the UN, EU, OFAC, or similar authorities)

Safe Harbor

If you act in good faith, avoid any behavior outlined in Prohibited Activities, meet the Eligibility Criteria, and report the issue directly to us without public disclosure, we will not pursue legal action against you or ask law enforcement to investigate your actions.

Legal Notice

Nothing in this Policy grants you (i) permission to act in a manner that would cause Toddle to violate applicable laws or (ii) ownership rights to Toddle intellectual property or data. This Policy shall be governed by and construed in accordance with the laws of India, and any disputes shall be subject to the exclusive jurisdiction of the courts of Bengaluru, India.

Updates and Amendments

Toddle reserves the right to modify this policy at any time. We recommend regularly reviewing this policy for updates.

For questions regarding this Policy, please contact security@toddleapp.com.