TinyIMG’s bug bounty program

Nov 25, 2024 | Time to read 10 min read
TinyIMG’s bug bounty program
By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

At TinyIMG, we prioritize maintaining a safe and private environment for our customers at all times. That’s why we’re inviting ethical hackers to partner with us and help safeguard our program. If you believe you’ve discovered a security issue, we encourage you to notify our team.

Severity Reward
Low Up to $50
Medium Up to $100
High $200-$300
Critical $400-$1000

Our rewards depend on the severity and characteristics of the identified vulnerability. While the provided payouts are maximum for each severity, we may reward bonuses at our discretion. If the researcher identifies multiple vulnerabilities that are caused by one issue, it will still count as a one-bounty reward.

Please note that in some cases, issues might be considered less severe due to the other security measures we’ve adopted.

Who can participate in the bug bounty program?

Anyone can participate in the TinyIMG bug bounty program, whether you’re an independent researcher or a seasoned security professional. As long as you follow our guidelines and ensure a secure process, you’re welcome to participate.

Bug bounty program guidelines

When participating in the TinyIMG bug bounty program, follow these guidelines to ensure a secure process for everyone:

  • Upon discovering vulnerabilities, report them directly to our team. Do not share any of your findings publicly before our investigation so we can keep our users safe.
  • Create a clear and detailed report that would help us reproduce the vulnerability. Non-reproducible reports may not be eligible for a reward.
  • Provide one vulnerability per report. Exceptions include chain vulnerabilities.
  • Create new accounts for testing vulnerabilities to prevent negatively impacting our users, servers, or data. Do not test anything on real user accounts.
  • Do not exploit the identified vulnerabilities – only use the minimum actions needed to prove the issue to our team and prevent harm.
  • Refrain from engaging in any type of social engineering, denial-of-service (DDoS), spamming, or phishing attacks.
  • During your research, you must adhere to our terms of service and privacy policy.
  • If a vulnerability is reported by two different researchers, usually the first person to submit a clear report will be rewarded (exceptions may apply).

If you have any questions, you can contact us at [email protected].

Scope of accepted reports

The TinyIMG bug bounty program only rewards vulnerabilities found in the following areas:

  • The official TinyIMG Image Optimizer Shopify app
  • The official TinyIMG Squarespace extension

Out-of-scope reports (not eligible for a reward)

At the moment, certain reports are considered out-of scope and are not eligible for rewards, including:

  • The entire TinyIMG domain (tiny-img.com)
  • The TinyIMG Chrome extension
  • Third-party services or external platforms and domains that are not owned by TinyIMG

Program policy

When participating in our program, you agree to the following requirements:

  • We request that you report an identified vulnerability to us privately. You must refrain from disclosing details about the issue publicly until the TinyIMG team can acknowledge and fix it.
  • It is prohibited to exploit the discovered vulnerability beyond the proof of concept (PoC) needed for submitting a clear report.
  • You must not disclose, retain, or copy any information about TinyIMG that you have gained during your research.
  • Before disclosing the vulnerability, TinyIMG may remove sensitive details found in the report.

If you decide to request disclosing the vulnerability to a larger audience like at a conference or a blog, you must first request approval from the TinyIMG team and get written consent. We will ask you to share the final draft of the content before publishing.

Severity examples

Here are some of the vulnerability examples and their level of severity:

Vulnerability Severity
Remote code execution Critical
PHP object injection Critical
SQL injection, deserialization of untrusted data High-critical
Remote or local file inclusion High-critical
Insecure direct object references (IDOR) High-critical
Broken access control High-critical
Privilege escalation High
Arbitrary file read/download/upload/deletion High
Sensitive data exposure High
Cross-site scripting (XSS) Medium-high
Server-side request forgery (SSRF) Medium-high
Path traversal Medium-high
Authentication/authorization bypass Medium-high
CSV injection Medium
Cross-site request forgery (CSRF) Low-high
Misconfiguration/open redirect Low-medium

Please keep in mind that in cases where vulnerability reports are high in quality, TinyIMG may reward researchers with an extra bonus.

Non-acceptable vulnerabilities

When you locate issues on our services, please take into consideration whether they pose real security threats. Here are the vulnerabilities that we do not accept:

  • Attempts to disrupt our services with DDoS attacks
  • Clickjacking on areas where no sensitive information or private data is at risk and missing mechanisms that prevent it
  • Cross-site request forgery (CSRF) in regards to read-only actions
  • Data spoofing without significant security impact
  • Dependent on the exploitation of another vulnerability
  • Lack of best email practices, like SPF/DKIM/DMARC records
  • Lack of encryption for sensitive data
  • Lack of endpoint rate limiting or brute force issues
  • Outdated software versions or SSL/TLS configurations
  • Security header configurations
  • Social engineering, including phishing, that is targeting users or employees of TinyIMG
  • Unusual server configurations or outdated software
  • Vulnerabilities that require physical access to a user’s system or device
  • Already known issues that were reported previously

Bug submissions requirements

To submit a bug, you must fully describe the discovered vulnerability so we can understand its potential risks and reproduce it. You should include all the information and resources in your report that would be useful to comprehending it. It may include the following:

  • PoC like screenshots, instructions, or videos for detailed guiding
  • Traffic logs
  • Exploit code
  • Specific URLs or API endpoints affected
  • Test account information, including the email address
  • Network conditions, like using a VPN or public wifi
  • IP address that was used during testing
  • Web/API requests and responses

Response time

Here at TinyIMG, we understand the value that the work of researchers gives to our company. We strive to address and review each vulnerability report as soon as we possibly can.

The estimated time goals that we aim to achieve are as follows:

  • Initial response: up to 3 business days
  • Triage and Assessment: up to 10 business days
  • Resolution: up to 30 business days
  • Bounty award: up to 60 business days

Known issues

Please note that these known issues will not be accepted:

  • Multiple emails are being sent upon password reset on the affiliate platform.
  • Multiple emails are being sent upon password reset on the squarespace platform.

We are actively working on resolving the above issues and appreciate your patience during this time.

Miscellaneous

TinyIMG is not responsible for any tax obligations depending on your country of residency. You may not violate any laws when participating in our bug bounty program or compromise any of TinyIMG or its users’ data. We retain the right to terminate this program at any given time and without prior notice.

× Enlarged Image