Tictail Developers

Responsible Disclosure Program

We want to keep Tictail safe and secure for everyone, and data security is of utmost priority. If you’ve discovered a security vulnerability in Tictail, we appreciate your help in disclosing it to us in a responsible manner.

Responsible Disclosure Policy

Tictail will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate, respond and fix vulnerabilities in accordance with our commitment to security and privacy. We won’t take legal action against or suspend or terminate access to the Service of those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Tictail reserves all of its legal rights in the event of any noncompliance. Capitalized terms used in this Responsible Disclosure Policy and not otherwise defined have the meaning ascribed to such terms in our Terms of Service.

Testing

You may test only against an Account for which you are the Account owner or an Agent authorized by the Account owner to conduct such testing. In no event are you permitted to access, download or modify data residing in any other Account or that does not belong to you or attempt to do any of the foregoing.

The Rules

  • Don’t attempt to gain access to another user’s account or data.
  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Don’t publicly disclose a bug before it has been fixed.
  • Don’t impact other users with your testing, this includes testing for vulnerabilities in shops or accounts you do not own.
  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may automatically suspend your accounts and ban your IP address.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • When in doubt, email us.

Non-Qualifying Vulnerabilities

Examples of non-qualifying vulnerabilities include:

  • Reports from automated tools or scanners.
  • Theoretical attacks without actual proof of exploitability.
  • Client side attacks crafted by a shop owner that are tied solely to the shop’s own domain/subdomain.
  • Exploits granting access to data beyond the border of the shop’s own domain are however eligible.
  • Denial of Service attacks.
  • Brute force attacks (e.g. on passwords or tokens).
  • Username or email address enumeration.
  • Spamming and spoofing of e-mail headers.
  • Social engineering of Tictail staff or users.
  • Attacks involving any user accounts not created by you.
  • Physical attacks against Tictail offices or data centers.
  • Attacks involving physical access to a user’s device.
  • Missing security headers that do not lead directly to a vulnerability.
  • Clickjacking.
  • Content Spoofing.
  • Cookies missing secure/httponly.
  • Bugs that rely on an unlikely user interaction (i.e. the user effectively attacking themselves).
  • Issues related to password and account recovery policies (e.g. password complexity requirements).

Reporting

Share the details of any suspected vulnerabilities with the Tictail Security Team by sending an email security@tictail.com. Please do not publicly disclose these details without express written consent from Tictail. In reporting any suspected vulnerabilities, please include the following information:

  • Vulnerability details with information to allow us to efficiently reproduce your steps.
    • Reports that consists solely of media attachments (e.g. PDFs or MP4s) will not be processed.
  • Your email address.
  • Your name as it should be displayed on this page if you would like it to be.
  • Your Twitter handle or website link as it should be displayed.

Compensation Requests

Upon your approval we’d be happy to publish your name and Twitter handle on this page after your submission has been verified by our security and development teams.

Requests or demands for monetary compensation in connection with any identified or alleged vulnerability will be deemed noncompliant with this Responsible Disclosure Policy.

Our Commitment

If you identify a verified security vulnerability in compliance with this Responsible Disclosure Policy, Tictail commits to:

  • Promptly acknowledge receipt of your vulnerability report.
  • Provide an estimated timetable for resolution of the vulnerability.
  • Notify you when the vulnerability is fixed.
  • Publicly acknowledge your responsible disclosure.

Contributors

Tictail thanks the following individuals and organizations, in alphabetical order that have identified security vulnerabilities in accordance with this Responsible Disclosure Policy:

PGP

If you want to encrypt your communication with us, use the following PGP key and send your message to security@tictail.com.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFRrWn8BCADtelv2zdOIrX5aj+j/vwISoY92mCRXkZXoOnG//NFquUvzpTf2
RyP78wPjPc2ejE9igJuODsFY/NOZhmxwGff+1kKC5OL0mKGO1q2saSdV2RfMfK2j
xGq4CThXL+jNVFIU5dK6R+jBSj3RSWPyF+x7ps1cErWpFfenBlgdJFvl8/n7nAJ6
9jOaUTl0/X16FMtEhVFdeloc4irL5+ZDiCeMf45MM0pXzTi/LWEG9Jv6pqfvzZpB
UdxLYsV+6nkIZXTmqJc8/b+KMriZ9GlnIDvLseg4HAumEc8mdt/MHvOUvC1yukjh
pXieifAFS24/8SFKCcwJghLK2K5H9c4Mx1VzABEBAAG0J1RpY3RhaWwgU2VjdXJp
dHkgPHNlY3VyaXR5QHRpY3RhaWwuY29tPokBPgQTAQIAKAUCVGtafwIbAwUJB4Yf
gAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQgAVzti/sSyeXXAgApsAuHbrE
N1JwFU5384Dp/K2rLwNABh8v16BJTDUHkOz6kD+mpTmPnYoq0gnFMZ0VVy4oHizO
rVvcUsSJMF8MZi8LuxaNtiRICWtO03DDWXW3G5XbLtZzeNiTT5d6Rj1IceSMK1RE
hDfKE3Pwvov4+3InIMCIekdNSH1h47TLcjw64ITuLzIJcsONvR2tRYgFe4QFJA5V
pui6xj1l/nlrDvhFLF573oKXiIfYWg6zXQBwvl4gLQ/P1T6pTENPZqv/fx+SsGLq
0QmaU1I+dntKsQs2y2GJazPVXmyZu4QEe0y6L/P2q1EEG0Hl31rFF0lIrKi70ynm
4hbeNuZSrmI8+bkBDQRUa1p/AQgAzIs2AaaA/8haP6FgMs1+bLjB5mb7NPeqDMmz
gXihRQYNf2nPiZ3JvX7yIUUo/5xaLfJvE5T/gg2xRs7civC2Pfgj/lyKekAxQboi
irWi7DpNqQkSIiyfeDR8xvGzmhxRR0oxiP5Ipc3Es07a3dkfo614J1q+mfsAqBf6
8xLDYGNj0fSGV36LLN60dDO93PyeZObxl9oGKSuF0ePmNGKyEYH5uj/ZQXb8QzMO
3P48xAgg6HJ/HvNWG/VrP284J9lAFBTSZeEDxBu6mee166jV27KP0mJvVlzOABVC
TTaXL3ZtSLCLJGD4qXmJgBloZj+IXmYNL8H8q6cveruh+pPMzQARAQABiQElBBgB
AgAPBQJUa1p/AhsMBQkHhh+AAAoJEIAFc7Yv7EsnjA0H/222zclJrthC3Q+/Y/Om
ztwPUMlcopkXfXRDVFn5n1MMDoCZYu8MK0YnYxZZPBIrLiPi2iaS/tHrPjyuDuyH
mPcsrLduUAxUE0tGVN295L0iAWjD2dkXykB0F16qsh6Sp/JK2DRWLFlnqvxZtrqR
ozSgN3x/oZeq7ppFNWYZ4NuNn3Vc460txZY9nUHt4L1Vw1PzAWQK7pfQEeCpUOBE
j1IlhhI3j582DFbavsqWlfDVuIUke5MAUM5t/gstbMocpSKGS4CachOV+2sjTOaK
qj1C/W19K/a5EZrCRDazFjIAJ8RnluBpn2FsHfSFHJE7vDm316rIb4/MIu5O6j3/
zdA=
=NefF
-----END PGP PUBLIC KEY BLOCK-----