Tadabase
Bug Bounty Program | Tadabase

Bug Bounty Program

Interested in helping Tadabase improve security?


At Tadabase, we take the security of our service very seriously. We regularly perform various tests and security checks on our systems to ensure we are operating within acceptable parameters. This includes security audits as well as penetration testing on our public platforms.

As part of our approach to maintaining a secure service, we have put in place a bug bounty program that is available to the public. We would be very pleased to hear from you if you have discovered any vulnerabilities or threats to the Tadabase platform. We are also happy to reward those who have discovered a bug or vulnerability that will improve the security of Tadabase. We will pay an award based on the level of threat and critical nature of the problem.

Severity Levels

For those who have taken the time to reveal potential vulnerabilities within our platform, we will pay a bounty loosely based on the following pricing template:

Severity Level Description Reward
Critical Vulnerabilities that could lead to system-wide compromise, unauthorized access to sensitive data, or significant disruption of service. Examples include remote code execution, authentication bypass, and SQL injection affecting sensitive data. $800
High Issues that affect a significant portion of the system or could lead to unauthorized access or disclosure of non-sensitive data. Examples include privilege escalation, significant security misconfigurations, or XSS that affects admin users. $200
Medium Vulnerabilities that affect individual users or require significant user interaction. Examples include reflected XSS, CSRF with some impact, or information disclosure of non-sensitive data. $100
Low Minor security issues that pose minimal risk. Examples include clickjacking on non-sensitive actions, verbose error messages, or security best practices not being followed. $40

Bug Bounty Rules

When you are testing, please follow these rules:

  • Rate Limiting: Any testing must be limited to a maximum of one request per second to prevent potential overload of the Tadabase service.
  • Data Access: We do not allow bug bounty hunters to download database content. A list of the tables is sufficient for proof of concept.
  • Testing Accounts: You will need to create a Tadabase account for testing the service. Always add “BugBounty” as part of the name when registering to confirm your link to the Bug Bounty program.
  • Supported Platforms: We do not accept bugs that affect outdated browsers, user agents, or app versions.
  • Scope of Testing: The primary focus of the Tadabase Bug Bounty program applies to tadabase.io, www.tadabase.io, and any subdomains under tadabase.io.
  • Related Domains: We may, depending on circumstances, accept bounty reports for related domains (e.g., staging.tadabase.io, analytics.tadabase.io), but it must be stressed that they are not the primary focus of the Bug Bounty program and do not contain critical client data. As a result, the accepted bounties are lower than main domain bugs that are found and reported. Tadabase does not include or accept responsibility for any third-party associations with tadabase.io.
  • Confidentiality: For the protection of our customers, Tadabase requests that you not post or share any data regarding potential vulnerabilities on other public platforms until Tadabase has investigated, taken action, researched, responded to, and addressed the reported vulnerability issue and informed customers if needed.
  • Terms & Conditions: We require that you operate within the guidelines of our Terms & Conditions.
  • Email Usage: Always use email addresses that belong to you. Violations of this rule may result in a reduced or no bounty reward due to potential damage to our business offering.
  • Staging Server Limitations: Our staging server has disabled sending emails; therefore, some of the features are not available (e.g., inviting members by email, email triggers, forgot password, confirm email, etc.).

Reports Excluded from the Bug Bounty Program

We are aware of several niche areas that might be considered as vulnerabilities, but as our service is narrow in focus, the following scenarios are not considered as a bug or vulnerability to Tadabase. Please do not report these issues:

  • Denial of Service (DoS) Attacks: Including any form of DoS or DDoS attacks.
  • Phishing or Social Engineering: Any variant of phishing or social engineering attacks.
  • Physical Attacks: Any physical action outside the realm of a web-based attack.
  • Resource Limits on Downgrade: Rules restricting the free account on downgrade. Our business decision is to make it smooth to upgrade again, so we allow users to use more resources than available in the free tier for a short period of time (e.g., number of shared relations within a form, already uploaded images, responses that already exist in their master account).
  • Record Identification: Finding the ID of any record without revealing any private information, updating, or deleting the record.
  • File Extensions: Double extension uploaded files without proof of exploit.
  • Email Validation: Non-validation of emails is a business decision where we allow any user to create an account without email confirmation to maintain simplicity of use.
  • Error Messages: More precise messages on whether the email already exists in our database (within forgot password, registrations, etc.) is a Tadabase business decision. We are limiting the number of tries for these occasions, which effectively blocks database scanning.
  • Third-Party Software: We are not responsible for third-party software that may or may not be associated with Tadabase (e.g., analytics.tadabase.io).
  • Unexploitable Vulnerabilities: Any unrelated vulnerabilities that cannot be exploited within the Tadabase platform.
  • Mobile Apps: Tadabase mobile apps (Android or iOS).

How to Submit a Bug Report

Please review our guidelines below to assist you when submitting an effective bug report:

  1. Summary: Give a short, clear description summarizing the issue you have found.
  2. Reproduction Steps: Information on how you uncovered and exploited the issue.
  3. Proof of Concept: Provide proof of how the issue can be exploited to work against the Tadabase platform.
  4. Impact Analysis: Describe the impact of how an attacker could exploit the reported issue to show how it would affect our operations.
  5. Supporting Material: Include any other information and attachments such as screenshots or videos showing the threat or vulnerability that you consider helpful.
  6. Technical Details: Any information you believe pertinent regarding the device or platform is welcome.

The guidelines above are not comprehensive, and the awarding of bounties is very much based on how accurate the reporting of the vulnerability is. Please remember to be precise in your submission; it can take time for issues to be investigated, so reports that are unclear or vague may not be considered.

For submission, please use our secure submission described in .well-known/security.txt on our website, or alternatively, you can use our contact form.

What to Expect from Tadabase

  • Acknowledgment: We will acknowledge receipt of your submission as soon as possible.
  • Investigation Period: We will not be able to reward any reported findings immediately, as we will have to carry out our own investigation into the issue. We always aim to respond within one week.
  • One Bounty per Issue: We can only award one bounty per issue reported.
  • First Reporter Reward: The first clear bug report will receive the finder's award in case there have been multiple submissions on the same issue.
  • Eligibility: To receive a bounty, you must reside in a country that is not on any official sanction list (e.g., Cuba, Iran, North Korea, Sudan, Syria). Tadabase reserves the right to cancel or amend the bug bounty program. It is at our discretion whether or not to pay an award.
  • Patience: Please be patient once you have submitted your report. We make every effort to check all reports very carefully. Depending on levels of activity, it can take between 1–5 working days for our team to respond to your submission. The same applies to any follow-up email thread. Excessive follow-up emails may result in a reduced bounty due to additional workload for our support team. However, if we have not responded within 7 days, please resend your request.
  • Payment Process: When we confirm the reported vulnerability and assign the associated bounty amount, we will ask you to provide your bank account or preferred payment method to transfer the reward via electronic international payment. Payment will usually appear within 14 days of vulnerability confirmation by Tadabase.

Thank you for helping us keep Tadabase secure!