Coordinated vulnerability disclosure
At Tyk we take user safety and the security of our services very seriously. We recognize the important role that security researchers and the community play in keeping our services and users safe.
We have adopted a responsible disclosure program to encourage everyone reporting security vulnerabilities. To recognize your efforts we offer a bounty for reporting certain qualifying security vulnerabilities.
Scope
We’ve partnered with the leading enterprise application security management platform, Zerocopter, to enable you to quickly and easily report issues.
We accept any reports relating to our Cloud and On-Premise platforms.
Reports relating to our website and community forums are generally out of scope.
Resolving Issues
When vulnerability fixes are completed, we’ll deliver them to customers via our regular patching process.
Guidelines
To keep our user’s data safe and our services stable please follow the following rules
- Use only test accounts to avoid compromising privacy of other users
- Share the security issue with us without making it public
- Allow us a reasonable amount of time (at least 180 days from where we receive your disclosure under this process) to respond to the issue before disclosing it to others.
Do not engage in security research that involves:
- Potential or actual damage to users, systems, data or applications.
- Use of an exploit.
- To view other users’ data that involves the corruption of data.
- That conducts any activities that may disrupt our services.
If you think you have discovered a security vulnerability, please report it using the Zerocopter reporting form and provide the requested information.
Eligibility
We thank everyone who submits valid reports which help us to improve the security of our services. However, only those that meet the following requirements may receive a bounty:
- You must the the first person to report the vulnerability
- The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above)
- You may not publicly disclose the vulnerability prior to our resolution
- Act in good faith. Our security team will assess each vulnerability report to determine if it qualifies for a bounty. A typical bounty will vary based on the probability and the damage impact of exploitation. Only one bounty per vulnerability (or with similar vulnerabilities in different areas, one bounty per type) will be rewarded.
Qualifying Vulnerabilities
The following security vulnerabilities are eligible for a bounty:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery
- Server-Site Request Forgery
- SQL Injection
- Server-Site Remote Code Execution
- XML Injection
- Bypassing Authorization Mechanisms
- Clickjacking
- Version disclosure of used server side software (except for WordPress installations)
Non-Qualifying Vulnerabilities / Out of Scope:
The following security vulnerabilities are NOT eligible for a bounty:
- Security vulnerabilities in third-party application used in our application(s)
- Security vulnerabilities in third-party websites that integrate with our application(s)
- Stating that software is vulnerable without a proof of concept.
- Issues related to the update of third party software patches, with patch released within the last 3 months.
- Vulnerabilities that can be exploited by an attacker to hack him/herself only, such as injecting malicious codes in the authentication cookies
- Security vulnerabilities requiring physical access to a user’s device
- Publicly accessible login masks
- Denial of Service Vulnerabilities (DoS)
- Spam or Social Engineering techniques
- Brute force password cracking
- Host header issues without PoC
- Security improvement and best practice issues
- Self-XSS that can not be used to exploit other users
- Abuse of website functionalities. (see other programs below)
- Open redirects. (the majority of open redirects have low security impact)
- Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
- Vulnerabilities reported by automated tools without additional PoC
- Reports from vulnerability scanners without additional PoC
- Open ports without additional PoC
- API credentials
- Usernames of employees
- SSL/TLS implementation and configuration issues
Disclaimer
If you give us reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you, unless we have reason to believe that you do not act in good faith.
If users/individuals do not adhere to the above mentioned rules, we reserve the right to take appropriate (legal) measures.