Bug Bounty - Report a Vulnerability

Bounty payment
  • Tribe's bug bounty program has been put on hold. We're looking to resume this before the end of this year.

    We won't be responding to any communication pertaining to bug bounty and security issues until further notice.

Please include the following information in your report:

  • ✓ Type of issue (cross-site scripting, SQL injection, remote code execution, etc.)
  • ✓ A URL if it is related to a specific section of the community solution
  • ✓ The potential impact of the vulnerability (i.e. what data can be accessed or modified?)
  • ✓ Step-by-step instructions to reproduce the issue
  • ✓ Any proof-of-concept or exploit code required to reproduce
  • ✓ Remediation of the issue

Note: If the issue that you're reporting is already known to us and we’re in the process of fixing, it won’t be eligible for bounty reward.

Definition of a Vulnerablity

Tribe considers a security vulnerability to be a weakness in one of our products or infrastructure that could allow an attacker to impact the confidentiality, integrity, or availability of the product or infrastructure.

We do not consider the following types of findings to be security vulnerabilities:

  • ✓ Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff, etc.). These are considered security best practices and therefore we do not classify them as vulnerabilities.
  • ✓ Missing security-related attributes on non-sensitive cookies. Tribe communities may set certain security-related attributes on cookies used on our applications. The absence of these headers on non-sensitive cookies is not considered a security vulnerability.
  • ✓ Exposed stack traces. We do not consider stack traces by themselves to be a security issue. If you find that a stack trace details personally identifiable information or user generated content, please submit a report detailing the issue.
  • ✓ Content spoofing by administrative users. We allow admins to add scripts into specific areas of the community as a customization feature and do not consider that functionality to be a vulnerability.
  • ✓ Clickjacking on pages in community pages that only contain static content.
  • ✓ Auto-complete enabled or disabled.

    We are also unable to respond to bulk reports generated by automated scanners. If you identify issues using an automated scanner, it is recommended that you have a security practitioner review the issues and ensure that the findings are valid before submitting a vulnerability report to Tribe.

Public Disclosure

Tribe makes it a priority to resolve any security vulnerabilities in our products within a week. Tribe follows coordinated vulnerability disclosure and requests, to protect our customers, that anyone reporting a vulnerability to us does the same.