Responsible Disclosure Policy

While working to identify security vulnerabilities, we ask that you:

• Share any issues that you discover with us via HackerOne, as soon as is practical
• Give us a reasonable amount of time to address reported issues before making them public
• Do not attempt to access or modify any user data that is not your own (You can set up a dummy Trello account; they're free!)
• Act in good faith not to degrade the performance of our services (e.g. via automated scanning, brute forcing, or denial of service attacks)
• Only report issues that are in scope (below)
• Check our list of non-qualifying vulnerabilities (below) to make sure that you aren't spending time chasing down a vulnerability that isn't going to qualify for a bounty.

We will not bring a lawsuit against you or ask law enforcement to investigate you if you comply with these guidelines.

Bug Bounties

To show our appreciation for the work it can take to find and report a vulnerability, we're happy to offer researchers a monetary reward. Our minimum reward is currently $256 USD , and we expect to pay $4096+ for major vulnerabilities.

To qualify for a bounty you must:

• Report a qualifying vulnerability (see below) that is in the scope of our program (also below)
• Be the first person to report the vulnerability
• Adhere to our disclosure guidelines (see above)
• Only test against your own accounts and data
• Refrain from disclosing the vulnerability until we've addressed it
• Be in a country where we can legally pay you (e.g. we can't if you're a resident of North Korea)
• Communicate with our security team exclusively via HackerOne (the security team will be way more impressed by your exploits than our support or social media teams)

We may sometimes choose to award bounties that are less than our stated minimum; these are generally given to researchers who file informative reports that don't warrant a change.

Scope

Vulnerabilities affecting the following domains are in scope and may qualify for a bounty:

• trello.com
• api.trello.com
• *.trello.services

Vulnerabilities affecting blog.trello.com will only qualify for a bounty if they include a working proof of concept showing how the issue can compromise user data on trello.com.

Other domains (e.g. trello-attachments.s3.amazonaws.com) or subdomains not listed above (e.g. e.trello.com, help.trello.com) are not in scope and will not qualify for a bounty.

Reports must include the following:

• A Proof of Concept
• Detailed steps on how to reproduce the vulnerability
• Explanation of how the attack could be executed in a real world scenario to compromise user accounts or data

Qualifying Vulnerabilities

Examples of qualifying vulnerabilities likely to be eligible for a bounty include:

• Cross-Site Scripting (XSS) affecting a browser supported by Trello __
• Cross-Site Request Forgery (XSRF)
• Missing/Broken Authentication
• Remote Code Execution
• Privilege Escalation
• SQL Injection ;)

Our security team will assess all submissions and determine if they qualify for a bounty.

Non-Qualifying Issues

Not all issues are in the scope of our program, including some issues that may have been accepted by other programs. We don't want you to waste time submitting a report that won't qualify, so please be aware of these non- qualifying issues before beginning your research and submitting any reports.

Examples of non-qualifying vulnerabilities (not eligible for a bounty) include:

• Reports from automated tools or scanners
• Theoretical attacks without actual proof of exploitability
• Denial of Service attacks
• Brute force attacks (e.g. on passwords or tokens)
• Username or email address enumeration
• Spamming
• Issues with third-party applications (e.g. tools that interact with Trello or the Trello API, Chrome Extensions)
• Issues with domains not owned by Trello Inc (see the scope above)
• Social engineering of Trello staff or users (e.g. phishing)
• Vulnerabilities obtained through compromising Trello user or employee accounts
• Attacks involving any user accounts not created by you
• Physical attacks against Trello Inc offices or data centers
• Attacks involving physical access to a user's device, or involving a device or network that is already seriously compromised (e.g. man-in-the-middle attacks)
• Missing security headers that do not lead directly to a vulnerability
• Clickjacking and "Tabnabbing" (i.e. reports involving manipulation of window.opener)
• Content Spoofing and "hyperlink injection" (in emails)
• Cookies missing secure/httponly
• Bugs that rely on an unlikely user interaction (i.e. the user effectively attacking themselves)
• Issues related to password and account recovery policies (e.g. password complexity requirements)
• Issues related to board and organization invitation policies
• Issues related to having autocomplete enabled (i.e. not explicitly disabled) on password inputs
• Disclosure of tools, libraries used by Trello and/or their versions
• Open redirects on domains other than trello.com
• Issues that are the result of a user doing something silly (like sharing their password or API tokens publicly)
• Attacks affecting browsers not explicitly supported by Trello __
• Issues related to e-mail coming from @trello.com addresses (e.g. things related to DMARC and SPF)
• Reports of third party services and libraries needing to be updated to address a potential vulnerability … unless the updated version has been available for more than 48 hours

If you discover an out-of-scope bug in Trello while looking for security issues, you can report it to us by emailing our support team at support@trello.com. (If you do this, please be sure to mention that you're reporting an issue that's out of scope, so they don't refer you back to HackerOne!)

Thanks

We're happy to acknowledge security researchers that have helped us keep our users' data secure on our thanks page.

'><img/src=''onerror='alert(atob(/PDMgVHJlbGxv/.source))