Bug Bounty Program

Date of Last Revision: Jul 22, 2021

We recognize and reward security researchers who help us keep users safe by reporting security vulnerabilities. Monetary bounties for such reports are at our sole discretion, based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report.

If we pay a bounty, the typical reward ranges from $50 ~ $100 and the reward will be sent by Paypal. For duplicated reports, we only reward the first person to submit the report. Note that extremely low-risk issues may not be qualified for a bounty.

To potentially qualify for a bounty, you need to follow these rules:

Don't access, modify, or delete data from any other user's account;

Don't perform any attack to harm the reliability/integrity of our services or data;

Allow a reasonable amount of time for us to respond to your report before publicly disclosing details of your exploit.

We will NOT pursue legal action against security researchers who follow the rules outlined in this page and responsibly disclose vulnerabilities to us.

What does not qualify?

Please be aware that we are *NOT* a social media app, nor a file sharing service provider, and many kinds of "best practices" for them are not necessary or not applicable to us.

Baiting/phishing/spamming or any other social engineering techniques;

Man-in-the-middle attacks or issues that depends on taking control of victim's email account, operation system, network or computer/device;

Passwordless authentication through email links;

Email links not expiring immediately after clicking;

Not forcing users to set complex password;

Browser cached pages after logging out;

Any kind of XSS (Cross Site Scripting);

Any kind of CSRF (Cross-site request forgery);

Any kind of content injection; content spoofing; or HTML injection;

Insecure cookie settings for non-sensitive cookies;

Strict-Transport-Security or other HTTP response headers;

DNS or Email (SPF/DKIM/DMARC/PTR) configurations;

GeoLocation/EXIF data not stripped in images;

Reverse tabnabbing;

Malformatted images not displaying correctly;

User / email enumeration;

Brute forcing;

Rate limiting related;

Denial of Service (DoS);

Issues that don’t affect the latest version of modern browsers (Chrome and Safari);

Issues related to browser extensions;

Issues requiring extremely unlikely user interaction;

UI/UX issues or spelling mistakes.

How to report?

Please send an email to howard@tucia.com, and provide full details of the vulnerability, including detailed steps on how to replicate it, so that we can validate your report.

Please allow up to 48 hours for an initial response. Also realize that spam filters and email in general can sometimes be problematic.

If you do not want to be publicly thanked on our website (or elsewhere), please let us know in your report email that you want your submission to be confidential. We can still provide rewards for confidential submissions if requested.