Tinder
Tinder Bug Bounty Program Terms
====
Security is a top priority at Tinder. If you believe you've found a security bug in our in-scope applications or infrastructure, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Your participation in our Bug Bounty Program is voluntary. By participating in our Bug Bounty Program, submitting a report or otherwise disclosing a vulnerability to us (“Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”).
If (i) you do not meet the eligibility requirements below; (ii) you breach any of these Program Terms or any other agreements you have with Tinder or its affiliates; or (iii) we determine that your participation in our Bug Bounty Program could adversely impact us, our affiliates or any of our members, employees or agents, we, in our sole and absolute discretion, may ban you from our Bug Bounty Program and disqualify you from receiving any benefit of our Bug Bounty Program.
If you have questions about the Tinder service or are trying to get help with your own Tinder account, please read our FAQ for assistance.
Any information you receive, collect or otherwise obtain about us, our services, our affiliates or any of our members, employees or agents in connection with our Bug Bounty Program (whether after or before you participate in the Bug Bounty Program, notably as a result of you finding and/or investigating a security bug in our in-scope applications or infrastructure) (“Confidential Information”) must be kept confidential, only used in connection with the Bug Bounty Program and not disclosed to any third party. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your participation in our Bug Bounty Program and any Submission.
By participating in our Bug Bounty Program, you represent and warrant that you have not used and will not use Confidential Information for any purpose other than in connection with the Bug Bounty Program and that you have not shared and will not share such Confidential Information with any third party.
Once a Submission is made, Tinder reserves the right to request from you, and you already accept to abide by this request, to securely and irreversibly delete any data related to such Submission, including, without limitation, any data about us, our services, our affiliates or any of our members, employees or agents. Additionally, you agree to securely and irreversibly delete any data related to the Submission immediately upon it no longer being reasonably necessary to retain for the purposes of conveying the impact or scope of the reported issue, after verifying with Tinder that it is no longer necessary, and/or if the Submission is closed, regardless of outcome.
To participate in our Bug Bounty Program, you must:
Be at least 18 years of age if you test using a Tinder account, and otherwise be the age of majority in your jurisdiction of residence or have the consent of your parent or guardian to participate in our Bug Bounty Program. In any event, you must be over the age of 13.
Not be a resident of, or make a Submission to our Bug Bounty Program from, a country against which the United States has issued export sanctions or other trade restrictions.
Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.
Not be employed by Tinder or any of its affiliates or an immediate family member of a person employed by Tinder or any of its affiliates.
You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.
Don’t mass create accounts to perform testing against our applications and services.
No destructive automated testing - under no circumstance should automated testing cause intentional damage to Tinder systems.
Don’t engage in social engineering (e.g. phishing, vishing, smishing).
Don’t attempt to extort us.
Don’t leave any system in a more vulnerable state than you found it.
Don’t publicly disclose vulnerabilities without our explicit consent.
Do respect our members’ privacy.
Do research vulnerabilities and disclose vulnerabilities to us in good faith.
Do be respectful when interacting with our team.
Don't leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.
Tinder reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.
To qualify for a reward under this program, you must:
Send a clear textual vulnerability description of the bug along with the steps to reproduce the vulnerability.
Include attachments such as screenshots and proof of concept code as necessary. A clear description and proof of concept helps you prove that the security bug is legitimate and speeds up the reward process.
Be the first to report a specific vulnerability.
Disclose the vulnerability report directly and exclusively to us. Reminder: you are not permitted to disclose vulnerabilities to third parties -- including vulnerability brokers.
Stay in scope.
Do not attempt to elevate privileges, or explore a system beyond the minimum necessary to prove access or attempt to pivot in any way. This will disqualify you from receiving a bounty.
In general, the following would not meet the threshold for inclusion:
Vulnerabilities on sites hosted by third-parties unless they lead to a vulnerability on the main website / application
Denial of service
Social engineering
Spamming
Homographs, RTLO, or other types of UI issues
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Click-jacking, or issues only exploitable via click-jacking
Disclosure of known public files or directories (.htaccess, robots.txt, etc)
Third-party vulnerabilities (e.g. Wordpress) that have recently become publicly known will generally be out of scope for a period of 30 days from the public release of an official patch or workaround.
Missing or misconfigured security headers which do not lead directly to a vulnerability
Overly verbose responses (errors, banners, etc.), which cannot be directly used in an exploit
Software version disclosure without proof of exploitability
Reports from automated tools or scans
Lack of certificate pinning, or HSTS
TLS/SSL version, configuration, weak ciphers or expired certificates
Lack of Secure, or HTTPOnly flags on cookies
Lack of, or weak, Captcha, or rate-limiting
Tap-jacking
Tab-nabbing
SPF/DKIM/DMARC related issues, including missing SPF records on subdomains
Scenarios that require unlikely user interaction and/or outdated OS or software version
Self-XSS
Login/Logout CSRF
Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc.
Third-party API Keys/Secrets embedded in mobile applications, without a clear impact, as many third-parties require this for their own client attribution purposes.
The ability to obtain multiple promotional items by opening multiple accounts
Most GPS spoofing related issues
Attacks against corporate IT infrastructure (e.g. firewalls and their software)
Attacks against employees (phishing, stealing laptops, physical security issues, etc.)
Host header injection without a clearly exploitable condition
Mobile client issues requiring a rooted device and/or outdated OS version
Attacks requiring MITM or physical access to a user's device.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
We may modify the Program Terms or cancel our Bug Bounty Program at any time in our sole and absolute discretion.
As a condition of participation in the our Bug Bounty Program, you hereby grant Tinder and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable and exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Tinder in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission.
Thank you for helping keep the Tinder community safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.tinder |
| ios_application | 547702041 |
| web_application | *.tinder.com |
| web_application | *.gotinder.com |
| web_application | *.tinderops.net |
| web_application | *.tstaging.com |
| web_application | *.tstaging.tools |
| web_application | *.tinderwebstaging.com |
| Scope Type | Scope Name |
|---|---|
| web_application | go.tinder.com |
| web_application | www.help.tinder.com |
| web_application | gotinder.imgix.net |
| web_application | console.gotinder.com |
This program crawled on the 2021-09-27 is sorted as bounty.
FireBounty © 2015-2024
