Nozbe Security - Bug Bounty

Our customers entrust Nozbe with their personal and professional information. Keeping this data safe is our highest priority.

We welcome all security researchers to take a hard look at our work and we offer rewards for responsible vulnerability reports.

What to focus on when searching for vulnerabilities

Nozbe:

Rules of Bug Bounty program

  • No social engineering, phishing, physical attacks
  • Disclose reproducible security bugs immediately to us
  • Don’t intentionally access, change, delete, or disrupt access to data of other users
    • If you do so by accident, delete all relevant data and disclose it to us immediately
  • Do not disclose vulnerabilities to others until we confirm to you that we’ve deployed a fix
  • Don’t use automatic tools that generate high server traffic

Ineligible reports

Issues below are unlikely to be awarded a bounty:

  • Non-security bugs (send those to support@nozbe.com)
  • DDoS, missing/inadequate requests rate limiting
  • Social engineering, brute force attacks, compromised user password
  • Vulnerabilities on unsupported browsers, operating systems, and outdated versions of our apps
  • Issues in 3rd party Nozbe clients and integrations
  • Highly unlikely issues - e.g. those that would require significant effort from the user, or chaining multiple vulnerabilities we don’t have
  • Reports regarding that we don’t follow “best practices”
  • Token expiration in password reset and invitation emails
  • Missing DMARC records
  • Missing CAA records, missing HSTS header or “weak” TLS/SSL ciphers

Rewards granted by Nozbe

  • You must be the first to report an issue to us
  • Eligibility, severity, and the reward amounts are at our discretion
  • We may decline or award a smaller bounty for low-quality reports or if we believe you were not acting responsibly

Here’s what you can expect:

Critical Severity Bugs: $1000 or more

  • Remote code execution
  • SQL injection
  • Authentication to arbitrary account
  • Customer data disclosure
  • Critical vulnerabilities in internal services
  • … and other critical bugs

High Severity Bugs: $400 or more

  • XSS
  • XSRF on sensitive actions
  • Privilege escalation within a workspace
  • Data disclosure within a workspace
  • … and other high-severity bugs

Medium Severity bugs: $100 or more

  • XSS requiring user interaction
  • Metadata disclosure within a workspace
  • … and other medium-severity bugs

Low Severity bugs: $30 or more

  • Insignificant information leaks (no customer data)
  • DoS issues
  • … and other low-severity bugs

Fine print

  • Safe harbor: Responsible research consistent with the rules of this document is considered authorized conduct and we won’t initiate legal action against you
  • If we award a bounty to you, you may be responsible for taxes and other legal compliance (depending on your country)

How to submit your report?

Submit vulnerabilities you find to: security@nozbe.com.

Here’s what will happen when you send us a report:

  1. We’ll acknowledge the report as soon as we can.
  2. We’ll investigate the issue and determine its severity. We might ask you for more information if we can’t reproduce the bug.
  3. If a bug is high or critical severity, we’ll drop everything to work on deploying a fix.
  4. We will keep you in the loop regarding progress on the fix. Note that in some cases, the process might take a while (e.g. when we need to deploy native apps to app stores, or if it involves an external or open source component and we have to notify our partners about the issue)
  5. Once the fix is deployed, we’ll award you the bounty. Do not disclose the vulnerability until we confirm that it’s been patched.

Here’s our GPG key you can use when appropriate:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGaVAPcBEACvu2bKBIl1GtRkCdGvTdwvsTcsS3CdGCp6GV/h2JlGIiCFM1Q3
LsKrzz65iKs1YhA81/oWdzHHnrvYtWCwye4ftBAdA/LiizvzucgXB9Pnf0M4Hzut
olDXp6i58cEr6q53EsRXVjzbi2OTQrjtJSi1PsZqDn6T4xVjGYpf8pE+Us+l4Uis
KziQrjjCOuRvgLtqtQnyEwZIueCHtZ7HwSZgD4XNtiMKZPMf1ZptrebTEoV0zcoQ
WgPYtVbQKaF6nDQolCsiGsw61DR9mqKNQMENzxDbtigH63jCbupOYaNAPV+n2LlY
tqPb71zspXx5x085zNcRILf7N9EZv/K48oB0is8h+cNKOpHDpRl5cDHmjCBZlwMF
aqTZI17OVOuhre4FbPAsmcjgcP0/b42t8WGux0wGu/pAip8I9ShqrZSX5NVRgsuj
sSkrCduPy7zPYwRN7SWp/mQb6V4ymX2JvQncz1DUOe2XHLGsABD4/KQlguLq46cG
foh6OWin3MHsVMU6Hle5+Pi5+zasty4GA8pM2EC6vp7ABuUp3zyozxtLaRINIKqs
6IF7xJ6jfAhTHPS7Vub09LvcN6C+G7tVMVfH6qKu5FuxcT7H30BDHvfGnmAgGvUd
Vhy9zMw7an1gaqIWNwPssDcKHZwF+Qsb7EYxPJcXT+DLx4MrNGqWPuI2pQARAQAB
tCNOb3piZSBTZWN1cml0eSA8c2VjdXJpdHlAbm96YmUuY29tPokCVAQTAQgAPhYh
BMoHP0wGz7ohtVRvTB8VsrFZJ0i9BQJmlQD3AhsDBQkHhh9WBQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJEB8VsrFZJ0i9D3YP/2z6EvkQvwQqPdIJr9DxJ0dTGZMs
kq1M24d1F2WtACas+Pngz+724/tj2EpnZ6q8ji6MSVXml+WusP03ryVChwu4nSZc
l60THSkuCqcLlv8loUw8DdvWsdYNKRqggksboVAr8J20cmWEupAqqJIAgdd8z2ZI
j5m5aPp3LYZ+R9+vZxUw5nbQsrWXVGye2aBoIUwgatCZibe1RJVqjh48ZoZnGZMo
yJSuZ9YTi7IjQpiPpSjQvG1TjdJUcPs1Hc19bPeavvBcFBcw6sJQZcH1VBbUHqK5
hoiMrGTmu9rdECq+JmldmREIyNoy9NTfhD79kMXCZTLL9tmDcLupjAMRnK4BiosT
+jCYgbbearAwWMnALVNq4RMVpD0Hubl+R/JsuoqSaAclbRlLhwEbx27dg/FnxA8O
ZiPivLVJW2rYWv92/OK9ClSJSw5O/5+pggjFsCS7sVnF/evWCoa+GvZqUPWu2gZh
dmpIFV8kUv/LeVyAjh7Kbv7BFnDuCXRibQW56wWZ2U/ZfAmOTvscTX+qV2OfJJuh
TOhqYpVnK26Lg66Rwc3BjvJOSPUzH1F+JDSBoEJHYLR4POQLmSvak5JZRbUI0any
bjsaBHKRI1gmrqpundhldj8HZASzOOmOjNVJ4zt1I+TzELVwcqtuYgk/bf71r2/E
pbsPWLsltZ8U9wf7uQINBGaVAPcBEADeL/vKVpj04R2eqLKyxybex3z07mOBpYAI
hdJ+JtkK9n75DWxAHNCShdIZl3FgCxtUIga32kxSBkd5JvpNH8YHD/CgBj1zZCLX
V0M9BW7WQzpbkJZwQD6XE9htPjbM13y6Zrfk+E/NJuwWvGDa//HsXaGYXiJaD2cH
UdGyizCTEadMH1PEK+pr++qQeFMtXN2mPk1z7sPZHdH8dYsHdrl8TeHH1pAMaHTC
eHBYhHPujEQsd45hu6ERpfcVSVh7rKA1j+9fJi1D7GExydqxE6K25/naZhqs0+56
6tRCNVJxBRSKYeEk4LG7MxQ+YBGhlnRPs9/X+CWgYd/jT7XzslqDQVqmpSz30uB7
6JiLhdBDF+eLE6HTO34hUwfa/ZQuKQXCl8TfeIHOE8KMmDp0UrpFyCTM7EKmgT3p
vTBnsdfoFrASjMDO/yhogtlrsQ+/RwuOqEKxOtDHfLuqRa+0ZsgC9e8Hy3jqa85I
a4GxTgHgdfsXACuCEbDRzRMgTB2B6vowaStFyZfZmjxsOhLviNE6S47wwsjCFMFh
jBPvAhMi7Te+0PUWKTqOaPl3+OY1DBcpxac86Fkvmaqn51U4xNrhsgs7gTOVUnW8
UeihFgnQj3HizKa9+WS95nZwwcT88F2wFi3zo6oRbjgE9XbBY9V15tQOuYGhQS+u
2BXuyYDRDQARAQABiQI8BBgBCAAmFiEEygc/TAbPuiG1VG9MHxWysVknSL0FAmaV
APcCGwwFCQeGH1YACgkQHxWysVknSL1YdxAAkpxZK9+y9Qnkw+tS5pkkqEx88M/D
7nYbbKilVPGS+7CbcOyg4CQkxR4QlqMUxCm1VFjFNn5jj669Wvh9uXe/tfmz/OQZ
NexMCiS8BaCL1fsz3xtpjxoJSYy9hoZ6F+gHClxbBpIrojH+JYQ9DDG7VZPmWL2a
+4uX+olWAdgBtZw/YyCyaBPpX7claxcNjt2S+KJgaIunl0HbPn3Pn6xibad+OaF8
x2c8KNx/Rzs6NxTQiGWpXkUF7J2x+Qg6Ll3bMeggctGg4CJLvzNRw6YdD0erHc9z
1MLkrajmz7OxzrzN6qpVr+muV+t65gRA4MPa7RSGnUY05nUouEVD8c6DFeL2+Ulh
+I7bmIobp996UHnUQErIYcHAjaM5x7m97bhwBKQEBF1qd45313UjQq2Tj3sDDgLj
zqVMvIrpNgfkbj3l2X9ispFKiZSROzXt/BbCcoLkMmKMPYfc/azte2R/q79ou8ES
NzxOhyYITayNdBMpsN9/p0Uy1eoZeGFddi5GUWUo9Wn1zs5gM4dkS/NnFh574Vo/
J05B7VJ7XYl/dhoL5yrDHA5Hz1UFtxysubXT5HXsTIyOg9T7KTmK0MLvEuvz+HmQ
WtxemT0WZ+bhMx9MIrGazQXPvesONegmQd/4hNV3lvC1Ro9k1LTAT78TakTIhaHm
cZZi1KWoanFjbSs=
=W7BT
-----END PGP PUBLIC KEY BLOCK-----