Vulnerability Disclosure Policy
Test of Things Cybersecurity Compliance Platform
This Vulnerability Disclosure Policy (the “Policy”) describes how Cybertools Group Oy (“ToT”) receives, triages and discloses vulnerabilities affecting the Test of Things compliance platform (the “Platform”) and how it cooperates with customers in the handling of vulnerabilities surfaced through use of the Platform. The Policy is published at testofthings.com/vulnerability-disclosure.
Last updated: 19.5.2026
1. Scope
This Policy covers three flows of vulnerability information:
Vulnerabilities found by the customer’s testing on its own product through use of the Platform. The customer is responsible for handling these under its own coordinated disclosure programme and, where applicable, the Cyber Resilience Act (“CRA”) Article 13 obligations of the customer’s product. The Platform supports the customer’s workflow but does not assume the customer’s regulatory role.
Vulnerabilities discovered in the Platform itself, whether by ToT, by a customer, or by an external researcher. ToT operates the disclosure process described in clauses 3 to 6 below.
Vulnerabilities reported by external researchers about the Platform or about a third-party product that the researcher has tested through the Platform.
Vulnerabilities affecting infrastructure operated by third-party sub-processors are within the scope of those providers’ own programmes; ToT routes reports to them where appropriate.
2. Reporting channel
Send vulnerability reports to:
Email: security@testofthings.com
A response will be sent within three (3) business days. If a response has not been received in that time, please escalate to disclosure@testofthings.com.
3. What to include in a report
To help us triage, please include:
a description of the vulnerability and its location;
steps to reproduce, including any required configuration;
the impact you have demonstrated or believe possible;
your contact details for follow-up;
whether you wish to be credited in any public advisory;
any planned public disclosure date.
4. Coordinated disclosure timeline
ToT operates a default ninety (90) day coordinated disclosure window. The clock starts on the date of the initial response under clause 2.
| Day | Activity |
|---|---|
| 0 | Report received |
| Within 3 business days | Acknowledgement and initial triage |
| Within 30 days | Reproduction confirmed; severity assigned; remediation plan communicated to the reporter |
| Day 90 | Public disclosure or coordinated disclosure with the reporter |
The window can be extended by mutual agreement where remediation requires more time, or shortened where active exploitation in the wild is observed.
5. Safe harbour for good-faith research
ToT will not initiate or support legal action, civil or criminal, against a researcher who:
makes a good-faith effort to comply with this Policy;
accesses only data and systems necessary to demonstrate the vulnerability;
does not disclose data of ToT, of customers or of data subjects beyond what is necessary to report the vulnerability;
does not disrupt the Platform’s operation; and
does not exploit the vulnerability beyond what is necessary to demonstrate it, and does not retain access to systems beyond the report.
This safe harbour does not extend to social-engineering attacks against ToT personnel, denial-of-service attacks, physical attacks on ToT facilities, or attacks against third parties.
6. Vulnerabilities discovered in the Platform
If a vulnerability is found in the Platform that affects customer security, ToT will:
notify affected customers without undue delay and in any event within seventy-two (72) hours of confirming the vulnerability where personal data is implicated (per the Data Processing Agreement);
provide the customer with sufficient information to assess the vulnerability’s impact on the customer’s own systems and obligations;
coordinate remediation timing with the customer where the customer’s own product or workflow is affected;
support the customer’s reporting obligations to its regulators and customers, including any CRA Article 14 reporting where the vulnerability affects a product manufactured by the customer.
7. Customer’s product vulnerabilities and CRA Article 14
From 11 September 2026, manufacturers of products with digital elements have an obligation under CRA Article 14 to report actively exploited vulnerabilities to ENISA within fixed timelines (24-hour early warning, 72-hour notification, 14-day final report). That reporting obligation is the customer’s, not ToT’s.
ToT supports the customer’s obligation by:
providing timely access to logs and audit trails of the relevant test runs;
exporting the audit trail in a format suitable for inclusion in the customer’s Article 14 filing on reasonable request;
notifying the customer of any platform-side issue that materially affects the integrity or completeness of the test evidence the customer relies on.
The customer remains responsible for whether and when to file under Article 14.
8. Active-exploit data and AI
ToT excludes unpublished actively exploited vulnerabilities from the AI Features’ prompts by default. The customer may, by an explicit and logged action through the Platform, override this exclusion in a specific case where the customer has determined the override is necessary. Such data is then handled subject to the Pilot SaaS Agreement and the Data Processing Agreement.
9. Public disclosure
ToT publishes coordinated advisories at testofthings.com/security-advisories. Where a researcher has reported a vulnerability and elected to be credited, the advisory names the researcher.
10. Updates to this Policy
ToT may update this Policy from time to time. The “Last updated” date at the top reflects the date of the latest material change. ToT will notify customers of material changes through the Platform or by email.