Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Note |
---|
Individuals who fail to respect the rules of engagement will not be eligible for bounties in the future. |
Live Search | ||||||||
---|---|---|---|---|---|---|---|---|
|
Background
All security researchers and bug bounty hunters working with
...
Tidepool must agree to the following rules of engagement
...
.
Rules of Engagement
No disruption of services and business flows, this includes:
Creating new clinic requests or accounts in production application (https://app.tidepool.org).
Denial of Service.
Spamming or brute-forcing of forms/accounts.
Creating multiple accounts in production.
Rate-limit attacks.
Resource Exhaustion attacks.
Extensive or automated testing of API's and environment may be performed without disruption (following the limitations above) in our external testing environment.
We do not accept exploits that require access to the user's email or account.
We do not accept bug reports consisting of video content, a description and full report is required for us to review (see 5).
All bug reports must have a
text description
including anyaffected URL's
or resources. If we have to respond to your report with questions, this will make the assessment process take longer.Per our Terms of Use
...
:
If we provide a bounty, the amount to be awarded will be awarded based on the
...
bug's severity and creativity, and will be at
...
Tidepool's sole discretion.
...
Tidepool Security will respond to confirm the report as soon as possible. Due to the number of bugs reported, a full response may not be available for
...
Teaming up is not appreciated and makes it more difficult for Tidepool to assess, document and respond to bug reports.
Exclusions
...
, Off-limits, and Out of Scope Domains
The following hosts/services are out of scope as they are not managed by Tidepool:
Tidepool Terms of Use
“… unless you comply with our Responsible Disclosure Policy (described in Section 3.3 below), you are prohibited from violating or attempting to violate the security of the Tidepool Apps or Tidepool’s other systems or network security, including, without limitation, the following:
Accessing data and information not intended for your use of the Tidepool Apps.
Gaining unauthorized access to an account, server, or any other computer system.
Attempting to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures.
Attempting to interfere with the function of the Tidepool Apps, or any Tidepool App host or network, including, but not limited to, via means of submitting a virus to any Tidepool App, overloading, denial of service attacks, “flooding”, “mailbombing”, “crashing”, or sending unsolicited e-mail, including promotions and/or advertising of products or services.
Sending altered, deceptive or false source-identifying information, including “spoofing” or “phishing.”
Unauthorized access of or tampering with Tidepool’s systems or network security that does not comply with our Responsible Disclosure Policy may result in civil or criminal liability.
3.3 Responsible Disclosure Policy
If you believe you have found a security vulnerability in any of Tidepool’s Apps, Tidepool’s source code or Tidepool’s other systems or network security, we encourage you to let us know right away by submitting a report to security@tidepool.org. We will investigate all legitimate reports and do our best to quickly fix the problem.
If you give us reasonable time to respond to your report before making any information public, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you. In addition, to show our appreciation, at our discretion, we may provide a monetary bounty for the reporting of certain security bugs.
Bounties are awarded at Tidepool’s sole discretion and are only paid to individuals. Only one bounty may be paid per issue reported. If we provide a bounty, the amount to be awarded will be awarded based on the bug’s severity and creativity, and will be at Tidepool’s sole discretion.”
ref: https://developer.tidepool.org/terms-of-use/#3.3
FAQ
(Updated over time, as recurring questions are identified.)
Page Tree |
---|