Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.
Please let us know about it and we'll make every effort to quickly correct the issue.
Only perform testing against our web staging environment at staging.airtable.com. Do not perform any testing against our production site at airtable.com or our downloadable apps.
We typically use the CVSS calculator __to determine severity. We reward bounties based on severity.
The following areas are generally considered of Critical severity:
The following areas are generally considered to be High severity:
The following areas are generally considered to be Medium severity:
secureor HTTP-only flags on sensitive cookies
The following areas are generally considered to be Low severity:
Refererheader when leaving Airtable, disclosing sensitive information
See below for more on third-party vulnerabilities.
We generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.
If a report is a duplicate, we won't award a bounty. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.
A specific vulnerable behavior found in one part of Airtable is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Airtable, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the Airtable product, that should probably be one report, not five.
The following areas are always out of scope :
Attacks that are beyond Airtable 's control are generally out of scope. These include:
We also ask for an exploit or proof of concept for reports. If you can 't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:
We also consider the following areas to be out of scope, though there may be some exceptions:
If you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!
Airtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.
If the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are not eligible for the default bounty amounts listed in the "Areas in scope" section above, and the bounty amount will be determined on a case-by-case basis.
Do not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!
We believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to acknowledge your contribution.
Contact us if you want more information.