Teamup Bug Bounty Program
Last updated: Nov 18, 2021
Teamup encourages users and independent security researchers to report detected security vulnerabilities. We appreciate the work of independent security researchers who review and test our service for security vulnerabilities because it makes teamup.com more secure. We offer a bug bounty for the report of reproducible and unreported vulnerabilities. The amount of the bounty depends on the severity of the vulnerability as determined by Teamup.
Over time we have collaborated with numerous security researchers. Here are some guidelines to ensure a smooth collaboration and speedy review of the reports:
- Report vulnerabilities to email@example.com.
- Report one issue at a time. This makes it easy to discuss issues.
- We award bug bounties once for each issue. If the same vulnerability shows up in different contexts, we consider this as one issue and one report.
- Focus your vulnerability research on domain teamup.com, which runs the Teamup Calendar software. Other domains like www.teamup.com, blog.teamup.com, and calendar.teamup.com are all-public, read-only websites that run standard software and are excluded from the bug bounty program. Bounties are paid only for teamup.com.
- Don’t perform tests that cause an interruption of the service. In particular, don’t perform tests that cause a high load on the hosting infrastructure.
- For testing purposes, we recommend using the freely available demo calendars at https://www.teamup.com/live-demo/. They have all the premium features enabled.
Excluded From A Bug Bounty
The following issues are known and are excluded from a bug bounty:
- TLS versions: teamup.com currently supports several TLS versions that ssllabs.com considers weak. We are aware of that. For compatibility with older devices, we currently will not remove support for these versions. This is a common practice among many large web services.
- Upload of files with malicious content, for example, SVG files with scripts, JS files, etc.
- Linking of image files hosted on third-party sites to track users.
- Metadata in image files (EXIF, IPTC)
- Injection of commands into exported CSV files.
- Lack of enforcement of certain product feature usage limits, for example, limiting the number of password reset requests sent, rate-limiting requests, etc.
- Lack of an automatic logout of all sessions when the password is changed or the two-factor authentication is enabled. We are working on improvements.
- Security issues related to the embedding of calendars into iframes (for example clickjacking vulnerabilities).
- CSRF issues in the Teamup settings application. We are working on improvements.
- Some API endpoints allow the enumeration users by guessing identifiers.
- Denial of service attacks.
If you have questions about the bug bounty program, please contact us at firstname.lastname@example.org.