Background

All security researchers and bug bounty hunters working with Tidepoool need to agree to the following rules of engagement.

Individuals not respecting the rules will not be eligible for bounties in the future.

Rules of Engagement

1. No disruption of services and business flows, this includes:

   1. Creating new clinic requests or accounts in production application (app.tidepool.org)

   2. Denial of Service

   3. Spamming or brute-forcing of forms/accounts

   4. Creating multiple accounts in production

   5. Rate-limit attacks

   6. Resource Exhaustion attacks.

2. Extensive or automated testing of API's and environment may be performed without disruption (following the limitations above) in our external testing environment

3. We do not accept exploits that require access to the user's email or account

4. We do not accept bug reports consisting of video content, a description and full report is required for us to review (see 5).

5. All bug reports must have a text description including any affected URL's or resources. If we have to respond to your report with questions, this will make the assessment process take longer.

6. Per our Terms of Use, If we provide a bounty, the amount to be awarded will be awarded based on the bug’s severity and creativity, and will be at Tidepool’s sole discretion.```

7. Tidepool Security will respond to confirm the report as soon as possible. Due to the number of bugs reported, a full response may not be available for 7 days to permit developer and security review.

8. Teaming up is not appreciated and makes it more difficult for Tidepool to assess, document and respond to bug reports.

Exclusions and Off-limits

The following hosts/services are out of scope as they are not managed by Tidepool:

• support.tidepool.org - https://zendesk.com

• forms.tidepool.org - https://jotform.com

• gifts.tidepool.org - https://shopify.com

• signup.tidepool.org - https://formstort.com

Tidepool Terms of Use

“… unless you comply with our Responsible Disclosure Policy (described in Section 3.3 below), you are prohibited from violating or attempting to violate the security of the Tidepool Apps or Tidepool’s other systems or network security, including, without limitation, the following:

Accessing data and information not intended for your use of the Tidepool Apps.
Gaining unauthorized access to an account, server, or any other computer system.
Attempting to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures.

Attempting to interfere with the function of the Tidepool Apps, or any Tidepool App host or network, including, but not limited to, via means of submitting a virus to any Tidepool App, overloading, denial of service attacks, “flooding”, “mailbombing”, “crashing”, or sending unsolicited e-mail, including promotions and/or advertising of products or services.

Sending altered, deceptive or false source-identifying information, including “spoofing” or “phishing.”
Unauthorized access of or tampering with Tidepool’s systems or network security that does not comply with our Responsible Disclosure Policy may result in civil or criminal liability.

3.3 Responsible Disclosure Policy

If you believe you have found a security vulnerability in any of Tidepool’s Apps, Tidepool’s source code or Tidepool’s other systems or network security, we encourage you to let us know right away by submitting a report to security@tidepool.org. We will investigate all legitimate reports and do our best to quickly fix the problem.

If you give us reasonable time to respond to your report before making any information public, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you. In addition, to show our appreciation, at our discretion, we may provide a monetary bounty for the reporting of certain security bugs.

Bounties are awarded at Tidepool’s sole discretion and are only paid to individuals. Only one bounty may be paid per issue reported. If we provide a bounty, the amount to be awarded will be awarded based on the bug’s severity and creativity, and will be at Tidepool’s sole discretion.”

ref: https://developer.tidepool.org/terms-of-use/#3.3

FAQ