Vulnerability Disclosure Policy

Last updated: November 28, 2025

At Tough Customer, the security of our customers and their data is a top priority. We welcome responsible security research and vulnerability reports related to our services, including our Slack applications, Salesforce ISV packages, and web properties.

This Vulnerability Disclosure Policy explains how to report security issues to us and what you can expect in response.

1. Scope

This policy covers:

• Tough Customer Slack apps and integrations
• Tough Customer Salesforce ISV applications and managed packages
• ToughCustomer.ai and any other Tough Customer–owned domains and APIs

Third-party platforms (e.g., Salesforce, Slack, Google, Microsoft) remain out of scope for direct testing; any platform-level issues should be reported to those providers through their own programs.

2. How to Report a Vulnerability

If you believe you have discovered a security vulnerability, please contact us at:

Contact Security Team

Include, to the extent possible:

• A clear description of the issue
• Steps to reproduce (including any proof-of-concept)
• The affected service (Slack app, Salesforce package, API endpoint, etc.)
• Any relevant screenshots, logs, or request/response samples (with sensitive data redacted where possible)
• Your contact information for follow-up

Please use encrypted communication if sharing sensitive details and avoid including real customer data whenever possible.

3. Our Commitment & Response

When you report a vulnerability to us in good faith, Tough Customer will:

1. Acknowledge receipt of your report as quickly as reasonably possible.
2. Assess and validate the reported issue, assigning a severity rating based on impact and likelihood.
3. Remediate validated vulnerabilities in accordance with our internal SLAs, prioritizing critical and high-severity issues.
4. Communicate with you about:
   • Whether we consider the issue valid and in scope
   • Planned remediation steps and, where possible, expected timelines
   • When the fix has been deployed

We may request additional details to help reproduce or fully understand the issue.

4. Guidelines for Researchers

To protect our customers and comply with platform policies (including Slack’s), we ask that you:

• Do not access, modify, or exfiltrate customer data (beyond the minimum required to demonstrate the vulnerability).
• Do not disrupt services (e.g., denial-of-service, rate-limit exhaustion, or load testing).
• Do not perform social engineering, phishing, or physical attacks against Tough Customer employees, customers, or partners.
• Do not attempt attacks against third-party infrastructure (e.g., Salesforce, Slack, hosting providers) beyond our direct control.
• Respect privacy and legality: do not violate any laws or regulations in the course of your testing.

If you accidentally access sensitive data, stop testing immediately, do not save or share the data, and include a high-level description in your report so we can respond quickly and appropriately.

5. Safe Harbor

If you make a good faith effort to comply with this policy while discovering and reporting a vulnerability:

• Tough Customer will not initiate legal action against you solely for your security research performed under this policy.
• We will consider your research authorized for the specific purpose of vulnerability discovery and reporting to Tough Customer.

This safe harbor does not apply to actions that are clearly malicious, fraudulent, or that intentionally cause harm.

6. Recognition

At this time, Tough Customer does not operate a formal bug bounty program. However, we appreciate responsible disclosures and may, at our discretion, recognize contributors publicly (with their consent) in release notes or security acknowledgments.