Bug Bounty Program

Date of Last Revision: July 1, 2020

We recognize and reward security researchers who help us keep users safe by reporting vulnerabilities. Monetary bounties for such reports are at our sole discretion, based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report.

If we pay a bounty, the typical reward ranges from $50 ~ $100 and the reward will be sent by Paypal. For duplicated reports, we only reward the first person to submit the report. Note that extremely low-risk issues may not be qualified for a bounty.

To potentially qualify for a bounty, you need to follow these rules:

Don't access, modify, or delete data from any other user's account;

Don't perform any attack to harm the reliability/integrity of our services or data;

Allow a reasonable amount of time for us to respond to your report before publicly disclosing details of your exploit.

We will NOT pursue legal action against security researchers who follow the rules outlined in this page and responsibly disclose vulnerabilities to us.

What does not qualify?

Spam or social engineering techniques;

Bugs that don’t affect the latest version of modern browsers (Chrome and Safari). Bugs related to browser extensions are also out of scope;

Denial of Service (DoS);

User / email enumeration;

Brute forcing;

Any kind of XSS (Cross Site Scripting);

Any kind of CSRF (Cross-site request forgery);

Any kind of content injection; content spoofing; or HTML injection;

Browser cached pages after logging out;

Insecure cookie settings for non-sensitive cookies;

Strict-Transport-Security or other HTTP response headers

DNS or Email (SPF/DKIM/DMARC/PTR) configurations

Bugs requiring extremely unlikely user interaction;

UI/UX bugs or spelling mistakes.

How to report?

Please send an email to howard@tucia.com, and provide full details of the vulnerability, including detailed steps on how to replicate it, so that we can validate your report.

Please allow up to 48 hours for an initial response. Also realize that spam filters and email in general can sometimes be problematic.

If you do not want to be publicly thanked on our website (or elsewhere), please let us know in your report email that you want your submission to be confidential. We can still provide rewards for confidential submissions if requested.