Teamup Bug Bounty Program

Last updated: April 4, 2024

Teamup encourages users and independent security researchers to report detected security vulnerabilities. We appreciate the work of independent security researchers who review and test our service for security vulnerabilities because it makes more secure. We offer a bug bounty for the report of reproducible and unreported vulnerabilities. The amount of the bounty depends on the severity of the vulnerability as determined by Teamup.


Over time we have collaborated with numerous security researchers. Here are some guidelines to ensure a smooth collaboration and speedy review of the reports:

  • Report vulnerabilities to
  • Report one issue at a time. This makes it easy to discuss issues.
  • We award bug bounties once for each issue. If the same vulnerability shows up in different contexts, we consider this as one issue and one report.
  • Focus your vulnerability research on domain, which runs the Teamup Calendar software. Other domains like,, and are all-public, read-only websites that run standard software and are excluded from the bug bounty program. Bounties are paid only for
  • Don’t perform tests that cause an interruption of the service. In particular, don’t perform tests that cause a high load on the hosting infrastructure.
  • For testing purposes, we recommend using the freely available demo calendars at They have all the premium features enabled.

Excluded From A Bug Bounty

The following issues are known and are excluded from a bug bounty:

  • TLS versions: currently supports several TLS versions that considers weak. We are aware of that. For compatibility with older devices, we currently will not remove support for these versions. This is a common practice among many large web services.
  • Upload of files with malicious content, for example, SVG files with scripts, JS files, etc.
  • Linking of image files hosted on third-party sites to track users.
  • Metadata in image files (EXIF, IPTC)
  • Injection of commands into exported CSV files.
  • Lack of enforcement of certain product feature usage limits, for example, limiting the number of password reset requests sent, rate-limiting requests, etc.
  • Security issues related to the embedding of calendars into iframes (for example clickjacking vulnerabilities). Support for embedding the calendar into other web pages is an important product feature.
  • CSRF issues in the Teamup settings application. We are working on improvements.
  • Some API endpoints allow the enumeration of users by guessing identifiers.
  • Denial of service attacks.

If you have questions about the bug bounty program, please contact us at

WordPress Cookie Notice by Real Cookie Banner