52212 policies in database
Link to program      
2021-09-27
Tinder logo
Thank
Gift
HOF
Reward

Reward

Tinder

Tinder Bug Bounty Program Terms

====

Security is a top priority at Tinder. If you believe you've found a security bug in our in-scope applications or infrastructure, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Your participation in our Bug Bounty Program is voluntary. By participating in our Bug Bounty Program, submitting a report or otherwise disclosing a vulnerability to us (“Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”).

If (i) you do not meet the eligibility requirements below; (ii) you breach any of these Program Terms or any other agreements you have with Tinder or its affiliates; or (iii) we determine that your participation in our Bug Bounty Program could adversely impact us, our affiliates or any of our members, employees or agents, we, in our sole and absolute discretion, may ban you from our Bug Bounty Program and disqualify you from receiving any benefit of our Bug Bounty Program.

If you have questions about the Tinder service or are trying to get help with your own Tinder account, please read our FAQ for assistance.

Confidentiality

Any information you receive, collect or otherwise obtain about us, our services, our affiliates or any of our members, employees or agents in connection with our Bug Bounty Program (whether after or before you participate in the Bug Bounty Program, notably as a result of you finding and/or investigating a security bug in our in-scope applications or infrastructure) (“Confidential Information”) must be kept confidential, only used in connection with the Bug Bounty Program and not disclosed to any third party. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your participation in our Bug Bounty Program and any Submission.

By participating in our Bug Bounty Program, you represent and warrant that you have not used and will not use Confidential Information for any purpose other than in connection with the Bug Bounty Program and that you have not shared and will not share such Confidential Information with any third party.

Once a Submission is made, Tinder reserves the right to request from you, and you already accept to abide by this request, to securely and irreversibly delete any data related to such Submission, including, without limitation, any data about us, our services, our affiliates or any of our members, employees or agents. Additionally, you agree to securely and irreversibly delete any data related to the Submission immediately upon it no longer being reasonably necessary to retain for the purposes of conveying the impact or scope of the reported issue, after verifying with Tinder that it is no longer necessary, and/or if the Submission is closed, regardless of outcome.

Eligibility to Participate

To participate in our Bug Bounty Program, you must:

  • Be at least 18 years of age if you test using a Tinder account, and otherwise be the age of majority in your jurisdiction of residence or have the consent of your parent or guardian to participate in our Bug Bounty Program. In any event, you must be over the age of 13.

  • Not be a resident of, or make a Submission to our Bug Bounty Program from, a country against which the United States has issued export sanctions or other trade restrictions.

  • Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.

  • Not be employed by Tinder or any of its affiliates or an immediate family member of a person employed by Tinder or any of its affiliates.

You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.

Program Ground Rules

  • Don’t mass create accounts to perform testing against our applications and services.

  • No destructive automated testing - under no circumstance should automated testing cause intentional damage to Tinder systems.

  • Don’t engage in social engineering (e.g. phishing, vishing, smishing).

  • Don’t attempt to extort us.

  • Don’t leave any system in a more vulnerable state than you found it.

  • Don’t publicly disclose vulnerabilities without our explicit consent.

  • Do respect our members’ privacy.

  • Do research vulnerabilities and disclose vulnerabilities to us in good faith.

  • Do be respectful when interacting with our team.

  • Don't leak, manipulate, or destroy any user data. Please only test against accounts you own yourself or with explicit permission of the account holder.

Bounty Eligibility

Tinder reserves the right to decide if the minimum severity threshold is met and whether it was previously reported.

To qualify for a reward under this program, you must:

  • Send a clear textual vulnerability description of the bug along with the steps to reproduce the vulnerability.

  • Include attachments such as screenshots and proof of concept code as necessary. A clear description and proof of concept helps you prove that the security bug is legitimate and speeds up the reward process.

  • Be the first to report a specific vulnerability.

  • Disclose the vulnerability report directly and exclusively to us. Reminder: you are not permitted to disclose vulnerabilities to third parties -- including vulnerability brokers.

  • Stay in scope.

  • Do not attempt to elevate privileges, or explore a system beyond the minimum necessary to prove access or attempt to pivot in any way. This will disqualify you from receiving a bounty.

In general, the following would not meet the threshold for inclusion:


  • Vulnerabilities on sites hosted by third-parties unless they lead to a vulnerability on the main website / application

  • Denial of service

  • Social engineering

  • Spamming

  • Homographs, RTLO, or other types of UI issues

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  • Click-jacking, or issues only exploitable via click-jacking

  • Disclosure of known public files or directories (.htaccess, robots.txt, etc)

  • Third-party vulnerabilities (e.g. Wordpress) that have recently become publicly known will generally be out of scope for a period of 30 days from the public release of an official patch or workaround.

  • Missing or misconfigured security headers which do not lead directly to a vulnerability

  • Overly verbose responses (errors, banners, etc.), which cannot be directly used in an exploit

  • Software version disclosure without proof of exploitability

  • Reports from automated tools or scans

  • Lack of certificate pinning, or HSTS

  • TLS/SSL version, configuration, weak ciphers or expired certificates

  • Lack of Secure, or HTTPOnly flags on cookies

  • Lack of, or weak, Captcha, or rate-limiting

  • Tap-jacking

  • Tab-nabbing

  • SPF/DKIM/DMARC related issues, including missing SPF records on subdomains

  • Scenarios that require unlikely user interaction and/or outdated OS or software version

  • Self-XSS

  • Login/Logout CSRF

  • Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc.

  • Third-party API Keys/Secrets embedded in mobile applications, without a clear impact, as many third-parties require this for their own client attribution purposes.

  • The ability to obtain multiple promotional items by opening multiple accounts

  • Most GPS spoofing related issues

  • Attacks against corporate IT infrastructure (e.g. firewalls and their software)

  • Attacks against employees (phishing, stealing laptops, physical security issues, etc.)

  • Host header injection without a clearly exploitable condition

  • Mobile client issues requiring a rooted device and/or outdated OS version

  • Attacks requiring MITM or physical access to a user's device.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Program Updates and Licenses

We may modify the Program Terms or cancel our Bug Bounty Program at any time in our sole and absolute discretion.

As a condition of participation in the our Bug Bounty Program, you hereby grant Tinder and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable and exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Tinder in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission.

Thank you for helping keep the Tinder community safe!

In Scope

Scope Type Scope Name
android_application

com.tinder

ios_application

547702041

web_application

*.tinder.com

web_application

*.gotinder.com

web_application

*.tinderops.net

web_application

*.tstaging.com

web_application

*.tstaging.tools

web_application

*.tinderwebstaging.com

Out of Scope

Scope Type Scope Name
web_application

go.tinder.com

web_application

www.help.tinder.com

web_application

gotinder.imgix.net

web_application

console.gotinder.com


This program crawled on the 2021-09-27 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy