Nozbe Security - Bug Bounty

Our customers entrust Nozbe with their personal and professional information. Keeping this data safe is our highest priority.

We welcome all security researchers to take a hard look at our work and we offer rewards for responsible vulnerability reports.

What to focus on when searching for vulnerabilities

Nozbe:

• nozbe.app
• latest iOS, and Android apps
• api4.nozbe.com, devapi4.nozbe.com
• WatermelonDB

Rules of Bug Bounty program

• No social engineering, phishing, physical attacks
• Disclose reproducible security bugs immediately to us
• Don’t intentionally access, change, delete, or disrupt access to data of other users
  • If you do so by accident, delete all relevant data and disclose it to us immediately
• Do not disclose vulnerabilities to others until we confirm to you that we’ve deployed a fix
• Don’t use automatic tools that generate high server traffic

Ineligible reports

Issues below are unlikely to be awarded a bounty:

• Non-security bugs (send those to support@nozbe.com)
• DDoS, missing/inadequate requests rate limiting
• Social engineering, brute force attacks, compromised user password
• Race condition bugs (e.g. bypassing plan limits)
• Findings in publicly accessible databases such as Phonebook.cz, DeHashed.com, etc.
• Emails disclosed in urls
• Vulnerabilities on unsupported browsers, operating systems, and outdated versions of our apps
• Issues in 3rd party Nozbe clients and integrations
• Highly unlikely issues - e.g. those that would require significant effort from the user, or chaining multiple vulnerabilities we don’t have
• Reports regarding that we don’t follow “best practices”
• Token expiration in password reset and invitation emails
• Missing DMARC records
• Missing CAA records, missing HSTS header or “weak” TLS/SSL ciphers

Rewards granted by Nozbe

• You must be the first to report an issue to us
• Eligibility, severity, and the reward amounts are at our discretion
• We may decline or award a smaller bounty for low-quality reports or if we believe you were not acting responsibly

Here’s what you can expect:

Critical Severity Bugs: $1000 or more

• Remote code execution
• SQL injection
• Authentication to arbitrary account
• Customer data disclosure
• Critical vulnerabilities in internal services
• … and other critical bugs

High Severity Bugs: $400 or more

• XSS
• XSRF on sensitive actions
• Privilege escalation within a workspace
• Data disclosure within a workspace
• … and other high-severity bugs

Medium Severity bugs: $100 or more

• XSS requiring user interaction
• Metadata disclosure within a workspace
• … and other medium-severity bugs

Low Severity bugs: $30 or more

• Insignificant information leaks (no customer data)
• DoS issues
• … and other low-severity bugs

Fine print

• Safe harbor: Responsible research consistent with the rules of this document is considered authorized conduct and we won’t initiate legal action against you
• If we award a bounty to you, you may be responsible for taxes and other legal compliance (depending on your country)

How to submit your report?

Submit vulnerabilities you find to: security@nozbe.com.

Here’s what will happen when you send us a report:

1. We’ll acknowledge the report as soon as we can.
2. We’ll investigate the issue and determine its severity. We might ask you for more information if we can’t reproduce the bug.
3. If a bug is high or critical severity, we’ll drop everything to work on deploying a fix.
4. We will keep you in the loop regarding progress on the fix. Note that in some cases, the process might take a while (e.g. when we need to deploy native apps to app stores, or if it involves an external or open source component and we have to notify our partners about the issue)
5. Once the fix is deployed, we’ll award you the bounty. Do not disclose the vulnerability until we confirm that it’s been patched.