I take security seriously. If you find a vulnerability in ToolBox, I want to know so I can fix it. This page documents how to report issues and what you can expect in return.
Triage the issue and give you an honest assessment of severity.
Patch confirmed vulnerabilities as quickly as I can (usually within days for high/critical).
Credit you in the fix commit or changelog if you want public acknowledgement.
In scope
toolbox-kit.com and www.toolbox-kit.com
API endpoints under /api/*
Hosted Pro endpoints: /api/hooks/<handle>/<bucket> (Webhook Inbox), /api/mock/<handle>/<path> (Mock API Server), and /api/mcp/<handle> (Personal MCP Server). Reports of bucket/handle collision, header injection, mock-served XSS, or MCP key disclosure are particularly welcome.
The MCP server (toolbox-mcp on npm)
The browser extension
The CLI
Out of scope
Self-XSS that requires the user to paste content into their own browser
Self-DoS in tools that process user-supplied input (ReDoS in regex tester, etc.)
Missing security headers without a working exploit
Automated scanner output without manual verification
Social engineering or physical access
Issues affecting only outdated browsers
Vulnerabilities in third-party services (Supabase, Cloudflare, Dodo Payments) — report those to the respective vendor
Safe harbor
Good-faith security research is welcome. If you act in good faith and stay within scope:
I won't pursue legal action.
I won't share your identity without your permission.
Avoid privacy violations, destruction of data, and interruption of service for other users.
Only test against accounts you own.
Bounties
ToolBox is a solo project without a formal bounty budget. I'll offer credit and, for impactful reports, a small thank-you (free Pro subscription, swag, or a token bounty depending on severity).
This policy is effective from 2026-05-16. Last reviewed 2026-05-17.