TripActions Bug Bounty Program

Terms of Service

Overview

TripActions, Inc. recognizes the importance of helping protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver on these ideals by continuously evaluating and testing the security of our software system and through the means of our Bug Bounty Program (“Program”).

Changes to these Terms

We may modify the terms of the Program or terminate this Program at any time. Changes made to the Program will not apply retroactively.

Participation Eligibility

This Program is not open to minors, individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications resulting from payouts depending on your country of residency and citizenship. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.

Submissions of Reports

TripActions’ Bug Bounty Program is managed by a third party. Please report any vulnerabilities through the form submission (“Report”).

By submitting a Report, you (i) understand and acknowledge that TripActions may have developed or commissioned materials similar or identical to your Report, and you waive any claims you may have resulting from any similarities to your Report; (ii) understand that you are not guaranteed any compensation or credit for use of your Report; and (iii) represent and warrant that your Report is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Report to TripActions.

Confidentiality of Reports

We endeavor to address each Report in a timely manner. We require that Reports remain confidential and cannot be disclosed publicly or to any third parties, until we have investigated and resolved an issue you reported. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR A VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.

License

TripActions is not claiming any ownership rights to your Report. However, by providing any Report to TripActions, you grant TripActions an irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property in your Report to use, copy, reproduce, display, modify, adapt, transmit, and distribute copies of your Report. You agree to sign any documentation that may be required for us or our designees to confirm the rights you granted herein.

Bounty Payment

TripActions will determine rewards within the following ranges based on a number of criteria, including severity core. The payouts listed below represent typical amounts awarded per category, and TripActions reserves the right to decrease or increase any of them based on our own assessment of impact. Prior bounty amounts awarded are not precedent for future payments.

Severity	Minimum	Maximum	Description
Critical	$1,500	$2,000+	Vulnerability which can be used to compromise TripActions customer or employee data.
High	$500	$1,500	Critical issues related to input validation, inadequate access management and others.
Medium	$250	$500	Best-practices issues such as misconfiguration.
Low	$0	$0	Good-to-know issues which are not the cause of any serious concerns or require immediate remediation.
Informational	$0	$0	Informational finding with little to no impact.

TripActions has a rating methodology when calculating the overall severity ratings for each vulnerability reported, taking into account the following factors:

• Impact: what is the realistic / expected result of successful exploitation.
• Difficulty: how likely is it that a weakness might be successfully exploited by an attacker.
• Severity: combination of impact and difficulty gives an estimate of which weaknesses will be prioritized for remediation and are subject to bug bounty rewards.

Exclusions

The following categories of reports are considered out of scope for this Program and will not be rewarded:

• Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.
• Vulnerabilities in 3rd-party systems such as Slack, Zendesk and others. Please refer to the respective bug bounty and responsible disclosure guidelines for the relevant 3rd-party. We are happy to make a connection to ensure your vulnerability reports are received in a good faith.
• Spamming other users with automated emails or notifications (e.g. abusing the forgot password form).
• Reports which enumerate already claimed handles, emails and other such information. This reveals no sensitive information, regardless of whether the associated profiles are public or private.
• Reports relating to self-DoS issues (as in, only the person doing the action is denied service).
• Reports related to Distributed Denial of Service (DDos).
• Reports relating to missing rate limiting of our API. We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.
• Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.
• Reports related to subdomain takeover vulnerabilities without clear, demonstrable impact.

TripActions will have the right to determine severity classifications, report validity, duplications, exclusions, and out-of-scope bugs in its sole discretion.

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM. TO REPORT A VULNERABILITY PLEASE VIEW THIS PAGE ON DESKTOP.