Responsible disclosure

This policy applies to all IT assets owned or operated by Torena (“Company”). This includes, but is not limited to, the Company’s websites, self-service platforms, API interfaces, network infrastructure, and other digital systems. This policy does not apply to customer-operated or customer-managed resources, even if they operate within the Company’s infrastructure – such as virtual servers, private network segments, or client-deployed software. It also does not apply to internal testing or audit activities.

The purpose of this policy is to promote transparent and constructive collaboration between the Company and security researchers, technical professionals, clients, or other individuals who have identified potential vulnerabilities. The policy is designed to establish a clear and secure process for submitting reports, with the goal of identifying risks early and helping prevent potential harm.

Security vulnerabilities considered relevant under this policy include conditions that may affect the security of the Company’s managed IT resources, such as self-service platforms, websites, API interfaces, or network components. Such issues may include:

• improper authentication or authorization mechanisms (e.g., bypassing access controls).
• unauthorized access to other users’ data or restricted information.
• vulnerabilities related to common attack vectors (e.g., SQL injection, XSS, CSRF, SSRF).
• insecure or faulty configurations (e.g., weak passwords, dangerous default settings).
• incorrect access rights or exposed network ports.
• transmission of sensitive data without appropriate encryption.
• active debug mode left enabled in production environments.

This list is not exhaustive. If you are unsure whether a particular behavior or condition constitutes a security concern, the Company encourages you to contact us using the details provided in this policy.

Vulnerability reports should be submitted by email to security@torena.lt. Where possible, please include the following information:

• a clear description of the vulnerability and its potential impact.
• step-by-step instructions to reproduce the issue.
• tools or scripts used to identify the problem (if applicable).
• technical logs, sample requests or responses.
• (optional) suggestions for remediation.

To ensure secure communication, we recommend using the Company’s public PGP key, available on our official website or upon request.

We expect reporters to act responsibly, ethically, and proportionately, in accordance with the following principles:

• avoid any actions that could disrupt services or harm other users.
• do not use discovered vulnerabilities to access or alter data without authorization.
• refrain from conducting denial-of-service attacks, social engineering, or attempts at physical intrusion.
• do not engage in activities that violate applicable laws or regulations.
• do not publicly disclose information about the vulnerability until the Company has addressed it or provided explicit permission.
• maintain confidentiality and cooperate with the Company to resolve the issue.

The Company reserves the right to update or amend this policy at any time. Updates may be made to reflect changes in legal requirements, internal processes, or service development. The latest version of this policy is always published on the Company’s official websites.

If you act in good faith, follow the terms of this policy, and do not attempt to harm the Company, its clients, or its infrastructure, your actions will not be considered a violation or grounds for legal action. This policy should not be interpreted as permission to conduct broad security testing or intrusion attempts—any activity must remain proportionate, non-destructive, and must not compromise the integrity of data or services. The Company reserves the right to evaluate each case individually and will aim to cooperate with responsible reporters in resolving identified issues.