Tide Logo

Responsible Disclosure

Tide believes in keeping its members data secure and private. We acknowledge the valuable role that independent security researchers play in security and, as a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or product. Tide welcomes feedback from the security community on its product, platform and website to help keep our business and members safe. If you have information related to security vulnerabilities discovered within Tide products and services, please submit a report in accordance with our Responsible Disclosure Policy.

Responsible Disclosure Policy

Our Responsible Disclosure Policy allows for security testing to be conducted by anyone in the security community with safe communication of those results. If any vulnerabilities are identified please report them to Tide using following two ways:

1. The HackerOne form provided at the end of this page or you can directly visit our bug bounty program on Hackerone and submit report at https://hackerone.com/tide

2. You can mail us at security@tide.co using the following PGP to encrypt the message and any attachments:

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEAdm4CKlavmxzHVU3C2buPkSYncgFAmR3D7wACgkQC2buPkSY nchcmxAAvPTK/5/4yCNxGUqroR2kGa+fFyHzTZOVtOzkCmENBbJCpyLwZ//rkNAw C59x27U7Q7Wl1owaOtNLvoOTFsc5IeNemtCVmduUKozo+ewiRGzFgN6T+2Ahsq8+ xtlcxlr+WIGCZm/FM/ajg3mFfsugMfBUllGL6b2SE5xyNc+w66NvjBfqW+eF2Ac8 +562LiUS25ecBmkxQrjQ5hCTbnLTMR4eOYc7AkEXBlkk4dCrqGMt9qz95BddHE7G YQOnVVCKDHddRJDbSaKDpy+JEOZUEnUVm5pqdzKWhS9sNAXz/sgWrOWdv78jmFfn FlZbemSBLLCaTnfPFnZIm7JC36M7mxwxthx86jBm3x2UuvEpR7HG0U/pY1Lh9oTp FD5qIh1Qy6Peg49McOcVDjNhxL0J6nc7q/ZrzLVdFhwJ45QesPzSrmE7AXjG+enm KmXoBAV89X/cDhuP66hEKc0pwrAsJqgcbLryAON7uZftYTUn7W9fuISKH207erNg 68UyTNedVr0BmYS6D1kwx7RMMiYfVOZe0JWBHs6tttQFUCSj8W4TPSud207Fn5Q5 MlCx1nI6XOmr8LzhJVZGwe5BxYLDuuZP9oD3ic6/Y2qWu30YnhVTb05g7aMo1FG0 80Nco2oNYPZfbfAbYFh7CuMZAGLq9sgc3uLGkooWWT94orDf9Us= =Xzf3 -----END PGP SIGNATURE-----

https://www.tide.co/.well-known/security.txt

We welcome your support to help us address any security issues, both to improve our products and protect our members.

What we would like to see from you:

Your reports will be reviewed and validated by a member of the Tide Security team. Providing clear and concise steps to reproduce the issue will help to expedite the response. As a minimum, your report must include:

  • Clear description and evidence of the vulnerability (logs, screenshots, responses)

  • Any platforms, operating systems, versions that are relevant

  • Any relevant IP addresses, URLs and parameters

  • Any supporting evidence you have collected (logging, tracing etc.)

  • Your name, contact details and other personal details on our request

  • Please preserve as much evidence as possible.

  • Describe the impact. How would the vulnerability be exploited?

  • Steps to reliably reproduce the issue.

Test Plan

If you are legally resident in a country in which Tide offers business accounts and meet the necessary criteria for an account in that region you may sign up for an account using promocode "HACKERONE". Once your request for an account is approved via our normal “Know Your Customer” (KYC) processes you may use this account to perform exploratory testing of all API’s listed in the program scope below. If your request for an account is denied for any reason we are not able to facilitate testing accounts but you may still perform unauthenticated testing on any public API’s or applications listed in the program scope.

We would consider being able to create an account without going through our KYC processes to be a critical severity issue.

Identifying Yourself

It is likely that traffic generated by researchers will be categorised as malicious. Identifying your traffic will help us classify the traffic accordingly. We request that this is done by adding the following header to your request:

X-Hackerone: username

In Scope

  • Domain

    • web.tide.co

    • api.tide.co

    • login.tide.co

    • app.tide.co

    • api.tideplatform.in

    • www.tide.co

  • Android: Play Store: com.tideplatform.banking

  • Android: Play Store: co.tide.tideplatform.in

  • iOS: App Store: co.tide

Out of Scope

  • Domains

    • account-reader.tide.co

    • community.tide.co

    • status.tide.co

    • admin.tide.co

    • *-wip.tide.co

    • *-staging.tide.co

    • www.tidecharity.org.uk

    • portaldesign.tide.co

    • s.tide.co

    • memberconnect.tide.co

    • professionals.tide.co

    • *.stg-tideplatform.in

    • *.wip-tideplatform.in

Out of scope vulnerabilities

When reporting vulnerabilities, please consider both the attack scenario/exploitability and the impact of the vulnerability. The following issues are considered out of scope:

  • Reports from automated tools or scans

  • Do not try to exploit service providers we use, prohibited actions include, but are not limited to brute-forcing login credentials of Domain Registrars, DNS Hosting Companies, Email Providers and/or others.

  • Reports affecting outdated browsers

  • Denial of Service Attacks

  • Content spoofing and text injection issues without showing an attackvector/without being able to modify HTML/CSS

  • Missing best practices in Content Security Policy.

  • Issues without clearly identified security impact or speculative theoretical exploitability

  • Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure - without clear and working exploit)

  • Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these.

  • Use of known vulnerable libraries or frameworks without a clear and working exploit

  • Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)

  • Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user

  • Lack of HTTPS

  • Reports about insecure SSL / TLS configuration

  • Password complexity requirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address has a Tide related account

  • Presence/Lack of autocomplete attribute on web forms/password managers.

  • Server Banner Disclosure/Technology used Disclosure

  • Full Path Disclosure

  • IP Address Disclosure

  • CSRF on logout or insignificant functionalities

  • Lack of Secure or HTTP only flag on non-sensitive cookies

  • Publicly accessible login panels

  • Clickjacking

  • CSS Injection attacks. (Unless it gives you the ability to read anti-CSRF tokens or other sensitive information)

  • Tabnabbing

  • Host Header Injection (Unless it gives you access to interim proxies)

  • Cache Poisoning

  • Reflective File Download

  • Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin: * or accepting of custom Origin header that does not specifically show a valid attack scenario

  • PRSSI - Path-relative stylesheet import vulnerabilities (without an impactful exploitation scenario - for example stealing CSRF-tokens)

  • OPTIONS/TRACE/DELETE/PUT/WEBDAV or any other HTTP Methods accepted by the server which do not specifically show a valid attack scenario

  • Cookie scoped to parent domain or anything related to the path misconfiguration and improperly scoped

  • Private IP/Hostname disclosures or real IP disclosures for services using CDN

  • Open ports that do not lead directly to a vulnerability

  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

  • Lack of DNS CAA and DNS-related configurations

  • Weak Certificate Hash Algorithm

  • Social engineering of Tide employees or contractors

  • Any physical/wireless attempt against Tide property

  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

  • Open redirect - unless an additional security impact can be demonstrated

  • Theoretical sub-domain takeovers with no supporting evidence

  • Any issue in a mobile application that can only be exploited on a rooted or jailbroken device

  • Reports of broken links or unclaimed social media accounts

  • Security vulnerabilities in third-party products or websites that are not under Tide’s direct control

  • Issues that require unlikely user interaction

  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

Submit report:

Please use the below form to submit vulnerability report: