Nozbe Security - Bug Bounty

Our customers entrust Nozbe with their personal and professional information. Keeping this data safe is our highest priority.

We welcome all security researchers to take a hard look at our work and we offer rewards for responsible vulnerability reports.

What to focus on when searching for vulnerabilities

Nozbe Teams:

  • teams.nozbe.com, dev4.nozbe.com
  • latest iOS, and Android apps
  • api4.nozbe.com, devapi4.nozbe.com
  • WatermelonDB
  • sentry.nozbe.tv
  • n4-elk-logs.nozbe.tv
  • teams.nozbe.help

Rules of Bug Bounty program

  • No social engineering, phishing, physical attacks
  • Disclose reproducible security bugs immediately to us
  • Don’t intentionally access, change, delete, or disrupt access to data of other users
    • If you do so by accident, delete all relevant data and disclose it to us immediately
  • Do not disclose vulnerabilities to others until we confirm to you that we’ve deployed a fix
  • Don’t use automatic tools that generate high server traffic

Ineligible reports

Issues below are unlikely to be awarded a bounty:

  • Non-security bugs (send those to support@nozbe.com)
  • DDoS, missing/inadequate requests rate limiting
  • Social engineering, brute force attacks, compromised user password
  • Vulnerabilities on unsupported browsers, operating systems, and outdated versions of our apps
  • Issues in 3rd party Nozbe clients and integrations
  • Highly unlikely issues - e.g. those that would require significant effort from the user, or chaining multiple vulnerabilities we don’t have
  • Reports regarding that we don’t follow “best practices”
  • Token expiration in password reset and invitation emails
  • Missing DMARC records

Rewards granted by Nozbe

  • You must be the first to report an issue to us
  • Eligibility, severity, and the reward amounts are at our discretion
  • We may decline or award a smaller bounty for low-quality reports or if we believe you were not acting responsibly

Here’s what you can expect:

Critical Severity Bugs: $800 or more

  • Remote code execution
  • SQL injection
  • Authentication to arbitrary account
  • Customer data disclosure
  • Critical vulnerabilities in internal services
  • … and other critical bugs

High Severity Bugs: $400 or more

  • XSS
  • XSRF on sensitive actions
  • Privilege escalation within a workspace
  • Data disclosure within a workspace
  • … and other high-severity bugs

Medium Severity bugs: $200 or more

  • XSS requiring user interaction
  • Metadata disclosure within a workspace
  • … and other medium-severity bugs

Low Severity bugs: $50 or more

  • Insignificant information leaks (no customer data)
  • DoS issues
  • … and other low-severity bugs

Fine print

  • Safe harbor: Responsible research consistent with the rules of this document is considered authorized conduct and we won’t initiate legal action against you
  • If we award a bounty to you, you may be responsible for taxes and other legal compliance (depending on your country)

How to submit your report?

Submit vulnerabilities you find to: security@nozbe.com.

Here’s what will happen when you send us a report:

  1. We’ll acknowledge the report as soon as we can, usually within one day
  2. We’ll investigate the issue and determine its severity. We might ask you for more information if we can’t reproduce the bug.
  3. If a bug is high or critical severity, we’ll drop everything to work on deploying a fix.
  4. We will keep you in the loop regarding progress on the fix. Note that in some cases, the process might take a while (e.g. when we need to deploy native apps to app stores, or if it involves an external or open source component and we have to notify our partners about the issue)
  5. Once the fix is deployed, we’ll award you the bounty. Do not disclose the vulnerability until we confirm that it’s been patched.

Here’s our GPG key you can use when appropriate:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF48gBQBEACvSJ2kzhHeKbCKQ+kfUd0j3sHP59hp1ywkM8RoD64p5Nv4Bvyj
XKEGVUo7vc7im5IelCkBk3oVCVNl6bpNuTRiFBKUOQDk0GYM57YouxpdbwkDmzNA
HFhZh5z9IgTP6qWYlh3OXvwzL4S97xfUEE/G9WS/YeNPPfuiidpKXmRhCT5o86JV
tLWdqeLOFZOnzPOn4jW1jvKqU7zsYy+v00m6X3dvBJUfMXRERLftEZOn45wegBNU
Y+cEw5Bt1vyC04AcgJVjG3JMIayESBft8HkdaUnMMLRstO8hj5s04mhJJyDLcEcA
KnJWGkSOHlZpOrPAwB1kvQPUtAFnVOBVPIEFvx7sAnnVaUyFCXN21tjsD2cKKxI7
mRBMlXL8TwlGCrm3XKU5dZCSYrU5HlOpdSH7MLQ2/ppEYttSENEZWxgFs7cyMEp1
E7v2qQxGSxHbX3rcaovf+t4WOhK0cqwB480wSKF8Tis3gEM+Q+fWsIVuDI7CeFCD
9hKDhRDcXnNR4woOLQySNicDJs0FfWJR5OTDNQZLk9vLmKNyhC5K2nx7+GibU6KJ
ESdaLm/MqI7QzjGnNiImWLagaqNxYYHWVrCWW46fCFShU3LbZowzaPDIpSKBmuOr
YEh9DFmJ7YHhHoyLAHiBSvAKTolo1+FSfLAXh14xXUr40u7sQvt1IGxUawARAQAB
tCNOb3piZSBTZWN1cml0eSA8c2VjdXJpdHlAbm96YmUuY29tPokCVAQTAQgAPhYh
BHEo2R/0klMIM5L4IHKabnk/jUbXBQJePIAUAhsDBQkHhh+ABQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJEHKabnk/jUbXHmsP/iNnWvmayeOUlCmcGqmu1MPEXMA1
zNZ3zHlhPAkycQA8bJloE3W3X+FMPoJpy9ADs1M4DALCJ5nlWo/U6FooXKNKmBhr
eqwEXUp1ywsrjoMjIHloVAIIYyJANqYYuk6hLqu3S/C2hxonCmh/TalZ3BeTU0NG
Tw5qHAelAKTbyAQ62uBgyq4sQbu1tK/DjgBdAMRQ0YqrfruI0/nU28RwBC4Zqbzp
DOLl5w8OxSzG2TbK3z7Zu84NeB/YqK3cfxVOxg2o08xadpSjS3yoJf7NwOmz1XoB
/ZYq58PTqt/RDKscZMF0ddCSTy5IJTZ5bLjXujMXFEWkfxng5iM2NqhkwtuViRhs
iRc36OJ9EDZLSeu5wZg+sufPmERurNv4gLgPCrVasV138BdWJy11nmgQ3YOLPoTj
KyxqWCOnP5S1LzgY0WlJROt7XUJYErBqAmRIXgGyWLhrb7rjNLn/86qkzqN9K9EC
FhYuDhZAuRyqjAR/FMBrHOQt7SmJtn5+0IPS9NWbBabliRytaATp1vayMfw5WVXD
jpjppK2+HUUFUxps0Iq4T3ROBDIveVODPn6EvQyA7FUSjEUuV+vvaggnufPS7EEd
ofdcEJGFK0ZUCOAEtw+3vd+LLvMWchUp53Tzxp3OqPUjJ6487k84GjW/ZcThhIDt
oiY8B8voPvLqqGELuQINBF48gBQBEADG80oI4fzeNwuvLYLeHehupPi2xC0DTV2v
PiEXvVfpqPaJnJIzmMhvrXqBt7vbZ8Il60+5WTBcZ1Lfj3OCYWgkgdd619ndq4Ge
50e+8mIl7BAaOeveLnse+5iUzJeO2EKur5f/d0sqSQjYKeToO01jkubnan+Lk/L4
50w/k1UOnxUF4EsyhCi3uGHl3jeHTxI3KBk0PRacprhHfpxqfpbs6Zmz4m7VIYD4
8xvPOPXoLnBM0gnB/S7j+dQKb3icBnVLIN0wlZ5YPWe4dsgjYmmmYjfcsrXhQTsz
h0jyRjlmgPXg4bTGrR5EGiIGSUVFhzYdmGRz8luTEbMgYTfEoScV8bAYNlCnUr+q
IsF8KhjErCfIPUiohVrqgGGkgF5gT3NfYOTaewPo1SnYducDFwt3/M1DBLW31LnO
3W9uhMhW+4qE2vxK6Hm6KJs5cNtkKmSfNvHqKfxiCE7ER//oFw0m2D+0SbPBdX4W
q8aePTXKTHrB58hwkP+koiLuG/irA0pqCeiFdAIX3JE7g/obXCOHhHJ60ZtZSlLg
Ph+Hp7YqYTj7xSoYVshBVCHc3wcXd0rjT38JzKgzlKlXl/5PeplSGHszgYpl8PYk
AI62R2cqrbr1GI/RORTsi6PtNFQ1mM/Sjqf7g4ZQfbVlPkSPLa+RSktDEdHHIbnF
ykB8jH/stwARAQABiQI8BBgBCAAmFiEEcSjZH/SSUwgzkvggcppueT+NRtcFAl48
gBQCGwwFCQeGH4AACgkQcppueT+NRtdE9xAAhONvccBOeBnuNuLH69bD3L25gu/P
YbihLsnAy3j32feqs6oL4kPQIm0aZvTz4iY0WvHQKqRTSKzgicO+eYozap81XTr7
430yHFYfKL9KQE0H/xNGOzScrD+T5AIx+rL36XHcjh0xzacEo8Qo0PIf9OyxS3eV
hZ6XBADQuWbhNWrDYCMeqmca9HDrFo29mD4UVzl0Fklk11gAsyL1d/49zwY6Lj8v
ziKxf/wzIJsnHM/LiAhgXMPJlhXX2WoD1WmN7BGk2KVFlRO76gmE4odLCxqIKVPz
TAl431fB/E0QJwylYanq0XMe60ZG+vUFqNjlPt+OEtJulBXhB82/6yaguz6oNLB3
6PSLnA99UO/dMVF3gt/ipKCKqSKSSBZLW9KQmAanQkrFszo9hbvvETRkVAALMcDZ
w51aSQOm+I8cmdkQQ0CBXEVQxy95VRiyaOLl4useeMsCffbd538g0U+Nc6iqB8LP
QqpcC3R4JlKsTubyWLHrKmpp3EW4p2Whwec4SHaz4t4VDVVmRKboPI189QiR1QQQ
PPe31GvxhsYxFjzhkeuIG/Mm0GYCofuEzmgRw2xJDoYoRIhlU8iDhHdqfM/D0S3N
0RbIsKnvEYg294uecIXKceMm/rl4a1Jqdb5nM4DKjOf6Qw1KBHLfDl6dMhwBXU5N
o632EgP1dL17PyI=
=pRhm
-----END PGP PUBLIC KEY BLOCK-----