Airtable considers privacy and security to be core functions of our platform.
Earning and keeping the trust of our users is our top priority, so we hold
ourselves to the highest privacy and security standards. If you have
discovered a security issue that you believe we should know about, we would
love to work with you.
Please let us know about it and we'll make every effort to quickly correct the
Only perform testing against our web staging environment at
staging.airtable.com. Do not perform any testing against our production site
at airtable.com or our downloadable apps.
Areas in scope
We typically use the CVSS calculator
__to determine severity. We reward
bounties based on severity.
The following areas are generally considered of Critical severity:
- Stored cross-site scripting (XSS) vulnerability: $5000
- Remote code execution: $10,000
- File system access: $10,000
The following areas are generally considered to be High severity:
- Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues
- Cross-Site Request Forgery (CSRF) on user data
- Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)
The following areas are generally considered to be Medium severity:
- Vulnerabilities when uploading CSVs
- Insecure TLS configuration when a fix would be backwards-compatible
- Lack of
secure or HTTP-only flags on sensitive cookies
The following areas are generally considered to be Low severity:
- Self-XSS (XSS), a user performing XSS on themselves only
- Leaking the
Referer header when leaving Airtable, disclosing sensitive information
- On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data
- On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)
See below for more on third-party vulnerabilities.
Areas out of scope
If a report is a duplicate, we won't award a bounty.
The following areas are always out of scope :
Attacks that are beyond Airtable 's control are generally out of scope.
- Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)
- Attacks requiring access to a user's device (such as physical access or remote access)
- Attacks requiring the user's credentials
- Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs
- Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)
We also ask for an exploit or proof of concept for reports. If you can 't
produce an attack, even a hypothetical one, we are unlikely to award a bounty.
For example, here are some areas we generally consider to be out of scope:
- Arbitrary file upload (which is a core Airtable feature)
- Mis-adherence to best practices that does not lead to an exploit
- Vulnerabilities in third-party code or services that do not lead to an exploit
- Generic information disclosure, such as the
- Missing HTTP security headers, such as:
- HTTP Strict Transport Security
- HTTP Public Key Pinning
- Referrer Policy
- Certificate Transparency (Expect-CT)
We also consider the following areas to be out of scope, though there may be
- Social engineering (phishing) of Airtable staff or users
- Username or email enumeration
- Denials of service scoped to a single user or workspace
- Invitation abuses (to accumulate credits or send spam)
- API key disclosure for third-party services
- Missing subresource integrity
- Email security: DMARC, DKIM, SPF
- Session cookie duration
- Issues related to password policies
- Disclosure of non-sensitive internal IDs (such as user IDs)
- Two-factor authentication (2FA) bypass with third-party sign-ins like Google
If you're not sure whether an issue is in scope, we'd appreciate it if you
file a report anyway!
Third party issues
Airtable uses several third party services. If they have vulnerabilities, we'd
like to know. We can't guarantee bounty for those and encourage you to report
those to both us and to them. If the vulnerability affects our users, we'll
likely pay something.
Do not disclose any issues to the public or to any third party without
Airtable's permission. If you have questions, please ask us!
We believe in recognizing the work of others. If your work helps us improve
the security of our service, we'd be happy to acknowledge your