At TinyIMG, we prioritize maintaining a safe and private environment for our customers at all times. That’s why we’re inviting ethical hackers to partner with us and help safeguard our program. If you believe you’ve discovered a security issue, we encourage you to notify our team.
| Severity | Reward |
| Low | Up to $50 |
| Medium | Up to $150 |
| High | $250-$350 |
| Critical | $400-$1000 |
Our rewards depend on the severity and characteristics of the identified vulnerability. While the provided payouts are maximum for each severity, we may reward bonuses at our discretion. If the researcher identifies multiple vulnerabilities that are caused by one issue, it will still count as a one-bounty reward.
Please note that in some cases, issues might be considered less severe due to the other security measures we’ve adopted.
Who can participate in the bug bounty program?
Anyone can participate in the TinyIMG bug bounty program, whether you’re an independent researcher or a seasoned security professional. As long as you follow our guidelines and ensure a secure process, you’re welcome to participate.
Bug bounty program guidelines
When participating in the TinyIMG bug bounty program, follow these guidelines to ensure a secure process for everyone:
- Upon discovering vulnerabilities, report them directly to our team. Do not share any of your findings publicly before our investigation so we can keep our users safe.
- Create a clear and detailed report that would help us reproduce the vulnerability. Non-reproducible reports may not be eligible for a reward.
- Provide one vulnerability per report. Exceptions include chain vulnerabilities.
- Create new accounts for testing vulnerabilities to prevent negatively impacting our users, servers, or data. Do not test anything on real user accounts.
- Do not exploit the identified vulnerabilities – only use the minimum actions needed to prove the issue to our team and prevent harm.
- Refrain from engaging in any type of social engineering, denial-of-service (DDoS), spamming, or phishing attacks.
- During your research, you must adhere to our terms of service and privacy policy.
- If a vulnerability is reported by two different researchers, usually the first person to submit a clear report will be rewarded (exceptions may apply).
If you have any questions, you can contact us at [email protected].
Scope of accepted reports
The TinyIMG bug bounty program only rewards vulnerabilities found in the following areas:
- The official TinyIMG Image Optimizer Shopify app
- The official TinyIMG Squarespace extension
Out-of-scope reports (not eligible for a reward)
At the moment, certain reports are considered out-of scope and are not eligible for rewards, including:
- The entire TinyIMG domain (tiny-img.com)
- The TinyIMG Chrome extension
- Third-party services or external platforms and domains that are not owned by TinyIMG
Program policy
When participating in our program, you agree to the following requirements:
- We request that you report an identified vulnerability to us privately. You must refrain from disclosing details about the issue publicly until the TinyIMG team can acknowledge and fix it.
- It is prohibited to exploit the discovered vulnerability beyond the proof of concept (PoC) needed for submitting a clear report.
- You must not disclose, retain, or copy any information about TinyIMG that you have gained during your research.
- Before disclosing the vulnerability, TinyIMG may remove sensitive details found in the report.
If you decide to request disclosing the vulnerability to a larger audience like at a conference or a blog, you must first request approval from the TinyIMG team and get written consent. We will ask you to share the final draft of the content before publishing.
Severity examples
Here are some of the vulnerability examples and their level of severity:
| Vulnerability | Severity |
| Remote code execution | Critical |
| PHP object injection | Critical |
| SQL injection, deserialization of untrusted data | High-critical |
| Remote or local file inclusion | High-critical |
| Insecure direct object references (IDOR) | High-critical |
| Broken access control | High-critical |
| Privilege escalation | High |
| Arbitrary file read/download/upload/deletion | High |
| Sensitive data exposure | High |
| Cross-site scripting (XSS) | Medium-high |
| Server-side request forgery (SSRF) | Medium-high |
| Path traversal | Medium-high |
| Authentication/authorization bypass | Medium-high |
| CSV injection | Medium |
| Cross-site request forgery (CSRF) | Low-high |
| Misconfiguration/open redirect | Low-medium |
Please keep in mind that in cases where vulnerability reports are high in quality, TinyIMG may reward researchers with an extra bonus.
Non-acceptable vulnerabilities
When you locate issues on our services, please take into consideration whether they pose real security threats. Here are the vulnerabilities that we do not accept:
- Attempts to disrupt our services with DDoS attacks
- Clickjacking on areas where no sensitive information or private data is at risk and missing mechanisms that prevent it
- Cross-site request forgery (CSRF) in regards to read-only actions
- Data spoofing without significant security impact
- Dependent on the exploitation of another vulnerability
- Lack of best email practices, like SPF/DKIM/DMARC records
- Lack of encryption for sensitive data
- Lack of endpoint rate limiting or brute force issues
- Outdated software versions or SSL/TLS configurations
- Social engineering, including phishing, that is targeting users or employees of TinyIMG
- Unusual server configurations or outdated software
- Vulnerabilities that require physical access to a user’s system or device
Bug submissions requirements
To submit a bug, you must fully describe the discovered vulnerability so we can understand its potential risks and reproduce it. You should include all the information and resources in your report that would be useful to comprehending it. It may include the following:
- PoC like screenshots, instructions, or videos for detailed guiding
- Traffic logs
- Exploit code
- Specific URLs or API endpoints affected
- Test account information, including the email address
- Network conditions, like using a VPN or public wifi
- IP address that was used during testing
- Web/API requests and responses
Response time
Here at TinyIMG, we understand the value that the work of researchers gives to our company. We strive to address and review each vulnerability report as soon as we possibly can.
The estimated time goals that we aim to achieve are as follows:
- Initial response: up to 3 business days
- Triage and Assessment: up to 10 business days
- Resolution: up to 30 business days
- Bounty award: up to 60 business days
Miscellaneous
TinyIMG is not responsible for any tax obligations depending on your country of residency. You may not violate any laws when participating in our bug bounty program or compromise any of TinyIMG or its users’ data. We retain the right to terminate this program at any given time and without prior notice.
