bounty program

Program Terms

Please note that your participation in the Bug Bounty Programme is voluntary and subject to the terms and conditions set forth on this page. By submitting a website or product vulnerability to Tomba, you acknowledge that you have read and agreed to these Terms. These Programme Terms supplement the terms of any other agreement in which you have entered with Tomba. If there is any inconsistency between the terms of the Tomba Agreements and these Programme Terms, these Programme Terms will control, but only with regard to the Bug Bounty Programme.

Security issue reporting guidelines

If you think you have found a security vulnerability in Tomba, please report it to us by email to Please include detailed steps to reproduce the bug and a brief description of what the impact is. We encourage responsible disclosure (as described below), and we promise to investigate all legitimate reports in a timely manner and fix any issues as soon as we can.

Services in scope

Any Tomba service that handles reasonably sensitive user data is intended to be in scope. This includes virtually all the content in the following domains:


Responsible Disclosure Policy

Security of user funds, data and communication is of highest priority to Tomba. In order to encourage responsible disclosure, we will not pursue legal actions against the researchers who point out the problem provided they follow principles of responsible disclosure which include, but are not limited to: Only access, disclose, or modify your own customer data.

  • Do not perform any attack that could harm the reliability or integrity of our services or data.
  • Avoid scanning techniques that are likely to cause degradation of service to other customers. (DoS, spamming).
  • Always keep details of vulnerabilities secret until Tomba has been notified and fixed the issue.
  • Do not attempt to gain access to another user’s account or data.

In researching vulnerabilities on the website of Tomba, you must not be engaged into the following:

  • Results in degradation of Tomba systems.
  • Results in you, or any third party, accessing, storing, sharing or destroying data of Tomba or customers.
  • Activities that may impact Tomba clients, such as denial of service, social engineering or spam.

We may suspend your account and ban your IP, if you do not respect these principles.

We ask you to be available to follow along and provide further information on the bug, and invite you to work together with Tomba developers in reproducing, diagnosing, and fixing the bug. We use the following guidelines to determine the eligibility of requests and the amount of reward.


To be eligible for the Bug Bounty Programme, you must not:

Be in violation of any national, state, or local law or regulation.

  • Be an immediate family member of a person employed by Tomba, or its subsidiaries or affiliates.
  • Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get a permission signed by your parents or legal guardians prior to participating in the program.

If Tomba discovers that you do not meet any of the criteria above, Tomba will remove you from the Bug Bounty Programme and disqualify you from receiving any bounty payments.

Examples of Vulnerabilities

Examples of Qualifying Vulnerabilities

Tomba reserves the right to decide if the minimum severity qualification threshold is met and whether it was already reported.

  • Authentication bypass or privilege escalation.
  • Cross-site request forgery (CSRF/XSRF).
  • Server-side code execution.
  • Remote Code Execution.
  • Cross-site scripting (XSS)

Examples of Non-Qualifying Vulnerabilities

Examples of Non-Qualifying Vulnerabilities Reporting the following vulnerabilities is appreciated but will not lead to systematic reward from Tomba.

  • Denial of Service vulnerabilities (DoS).
  • Possibilities to send malicious links to people you know.
  • Security bugs in third-party websites that integrate with Tomba API.
  • Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) or website unless they lead to vulnerability on Tomba website.
  • Spam (including issues related to SPF/DKIM/DMARC).
  • Usability issues, forms autocomplete.
  • Insecure settings in non-sensitive cookies.
  • Browser Cache vulnerabilities.
  • Vulnerabilities (including XSS) that require a potential victim to install non-standard software or otherwise take very unlikely active steps to make themselves be susceptible.
  • Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Vulnerabilities (including XSS) that affect only legacy browser / plugins.
  • Self-XSS.
  • CSRF for non-significant actions (logout, etc.).
  • Clickjacking attacks without a documented series of clicks that produce a vulnerability.
  • Content injection, such as reflected text or HTML tags.
  • Missing HTTP headers, except as where their absence fails to mitigate an existing attack.
  • Authentication bypasses that require access to software / hardware tokens.
  • Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation).
  • Assumed vulnerabilities based upon version numbers only.
  • Bugs requiring exceedingly unlikely user interaction.
  • Disclosure of public information and information that does not present significant risk.
  • Scripting or other automation and brute forcing of intended functionality.
  • Requests violating same-origin policy without concrete attack scenario (for example, when using CORS, and cookies are not used in performing authentication or they are not sent with requests).

Required Information

For all submissions, please include:

  • Full description of the vulnerability being reported including the exploitability and impact.
  • Document all steps required to reproduce the exploit of the vulnerability.
  • URL(s)/application(s) affected in the submission (even if you provided us a code snippet/video as well).
  • IPs that were used while testing.
  • Always include the user ID that is used for the POC.
  • Always include all of the files that you attempted to upload.
  • Provide the complete PoC for your submission.
  • Please save all the attack logs and attach them to the submission.

Failure to include any of the above items may delay or jeopardize the bounty payment. Report it to us by emailing


Our reward system is flexible and doesn’t have any strict upper or lower limit. This means particularly creative or severe bugs will be rewarded accordingly. The amount will exclusively depend on the severity of the vulnerability. Rewards will be sent using Paypal once the vulnerability has been fixed. These services collect a fee for processing the transaction, which gets deducted from the amount awarded.

Hall of fame

We use cookies to improve your user experience. By continuing onto our website, you agree to our privacy policy .