Token Forest Security Policy

Last updated 2026-07-08

Publisher: Poietic Studio

Token Forest is a proprietary desktop application published by Poietic Studio. We take reports about its security and privacy behaviour seriously — especially anything that contradicts our published Privacy Notice.

Supported versions

Only the latest public release receives security fixes unless a release note states otherwise. Older releases and development snapshots are unsupported — please upgrade.

Reporting a vulnerability

Please report suspected vulnerabilities privately:

  • Preferred: GitHub private vulnerability reporting — https://github.com/Ericcccccc777/Poietic-TokenForest/security
  • Email: security@tokenforest.com.au (mailbox activating before the first public release)

Please do not open a public issue for an unpatched vulnerability. Ordinary bugs and feature requests are welcome in the public issue tracker.

Do not include in any report: your Claude/Codex logs, prompts or conversation content, source code, access/refresh tokens, or other users' leaderboard data. If we need artifacts, we will arrange a minimal, private way to share them.

What to include

  • Token Forest version and exact download filename (plus its SHA-256 if possible);
  • operating system and architecture;
  • clear impact description and reproducible steps or proof of concept;
  • whether the leaderboard was Off, Paused or On;
  • whether the issue has been disclosed anywhere else;
  • how you would like to be credited (or anonymity).

In scope

  • any upload of local logs, prompts, conversation content or source-code files;
  • any network request while the leaderboard is off (the app promises zero);
  • a mismatch between the consent dialog / Privacy Notice and what is actually sent;
  • leaderboard authentication or row-level-security bypass (reading or modifying another user's row);
  • exposure of access/refresh tokens;
  • local storage readable across OS user boundaries;
  • arbitrary code execution, unsafe archive/update handling, DLL or library hijacking;
  • tampering with official downloads, checksums or signatures;
  • failure of the advertised leaderboard-deletion flow.

Please use only your own accounts and test data, and stop once the issue is demonstrated.

Out of scope (usually)

  • UI, animation or layout bugs; feature requests;
  • token-count differences explained by our documented metric definitions;
  • SmartScreen warning that a new file is “not commonly downloaded” when signature/hash are otherwise valid;
  • issues requiring full prior control of the user's OS account;
  • automated scanner output without demonstrated impact;
  • social engineering of team members.

We may still act on out-of-scope reports that expose real user risk.

Our response

Targets, not guarantees: acknowledge within 3 business days; initial assessment within 7 business days; status updates at least every 14 days for confirmed issues. For critical issues we may pull affected downloads immediately. Fixes are rebuilt from a clean commit, re-signed where applicable, republished with new checksums, and announced in the release notes; withdrawn binaries stay marked rather than silently rewritten.

If you act in good faith — avoid privacy harm, use only your own data, allow reasonable time to fix — we will work with you, and with your permission credit you in the release notes.

Privacy requests

Requests to delete a leaderboard entry or questions about data handling are not vulnerabilities — see the Privacy Notice contact section. Never send anyone your account.json tokens.

Release authenticity

Official downloads come only from this website and the product repository's GitHub Releases, each with a SHA-256 checksum and a stated signing status. Do not run a download that fails verification — delete it, re-download from an official channel, and report it if the mismatch persists.