Responsible Disclosure Policy

Tide believes in keeping its members data secure and private. We acknowledge the valuable role that independent security researchers play in security and, as a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or product. Tide welcomes feedback from the security community on its product, platform and website to help keep our business and members safe. If you have information related to security vulnerabilities discovered within Tide products and services, please submit a report in accordance with our Responsible Disclosure Policy.

Our Responsible Disclosure Policy allows for security testing to be conducted by anyone in the security community with safe communication of those results. If any vulnerabilities are identified please report them to Tide at security@tide.co using the following PGP to encrypt the message and any attachments:

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEPLd7yiZmTE6fs8IUBQBP81wD+lYFAmBsncoACgkQBQBP81wD
+lYnIxAAwTDd9rlXP5XRDt4jW2rz2SG81ND6PZnGRV/5vrub1mw/VdUZuW8Ciy3y
gnmkKzgtXyIdJcp4MBq3hMGiWOYTuSoCJWcMuMaVrFyp5MAbqeFeF+HTE5XmZbrp
URFpqhyUr0kBinlqlPPMB2a1SQK/87d+YYQ6lC36SsB9TZFQGHVJkfrxncIgChRa
lTNyZEkTZCPSHFfa0ZiVmL26mncJviPok474RIUJ9P6Iy8JYs7hQX3AVmP8PFhrS
3TMb4mFWB99Ab5A7tapCy+3X2aQVZEFmIK9qbTfh98Yb1v4IE7/5mxppNMDALTTL
tES3pCvu3ALPOVMYKZrtB27nZqensExbiCYfd0YNnFJ/ufisOwIlcQWFCTweYfU9
h00+MXxuLThGZfD1/VbG8GxLxjrPHlJ+CrXG8ad9yYkcH5+hkKz7Cx0awbyWkmnW
ZNG77N1kTwsLmgbcrWLxlAbNMyeqiXKnY8NyS3o+xItZ/mC1LzVCSJdZCzaxAJAg
kTONHorRk02QjUmc2cQf8gF8gh1qB7cQmavbiRVwYj/SnRkTXLkODt12xafuSZns
ucDZoJwdURs6f4WLC3SUSPKEyle1V6oYQJC5D1Q9bUlUN2vrYS4IyUeEm2iC1U9h
8AIykkosq8GltrY7j/JJvyT62ltoh6vUOpCp3KDsPIYvMEkBevw=
=hVoP
-----END PGP SIGNATURE-----

https://www.tide.co/.well-known/security.txt

We welcome your support to help us address any security issues, both to improve our products and protect our members.

What we would like to see from you:

Your reports will be reviewed and validated by a member of the Tide Security team. Providing clear and concise steps to reproduce the issue will help to expedite the response. As a minimum, your report must include:

• Clear description and evidence of the vulnerability (logs, screenshots, responses)
• Any platforms, operating systems, versions that are relevant
• Any relevant IP addresses, URLs and parameters
• Any supporting evidence you have collected (logging, tracing etc.)
• Your name, contact details and other personal details on our request
• Please preserve as much evidence as possible.
• Describe the impact. How would the vulnerability be exploited?
• Steps to reliably reproduce the issue.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider both the attack scenario/exploitability and the impact of the vulnerability. The following issues are considered out of scope:

• Reports from automated tools or scans
• Reports affecting outdated browsers
• Denial of Service Attacks
• Missing best practices in Content Security Policy.
• Issues without clearly identified security impact or speculative theoretical exploitability
• Missing security best practices and controls (rate-limiting/throttling, lack of CSRF protection, lack of security headers, missing flags on cookies, descriptive errors, server/technology disclosure – without clear and working exploit)
• Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard presence/misconfigurations in these.
• Lack of HTTPS
• Reports about insecure SSL / TLS configuration
• Password complexity requirements, account/email enumeration, or any report that discusses how you can learn whether a given username or email address has a Tide related account
• Presence/Lack of autocomplete attribute on web forms/password managers.
• Server Banner Disclosure/Technology used Disclosure
• Full Path Disclosure
• IP Address Disclosure
• Publicly accessible login panels
• Clickjacking
• CSS Injection attacks. (Unless it gives you the ability to read anti-CSRF tokens or other sensitive information)
• Tabnabbing
• Host Header Injection (Unless it gives you access to interim proxies)
• Cache Poisoning
• Reflective File Download
• Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin: * or accepting of custom Origin header that does not specifically show a valid attack scenario
• PRSSI – Path-relative stylesheet import vulnerabilities (without an impactful exploitation scenario – for example stealing CSRF-tokens)
• OPTIONS/TRACE/DELETE/PUT/WEBDAV or any other HTTP Methods accepted by the server which do not specifically show a valid attack scenario
• Cookie scoped to parent domain or anything related to the path misconfiguration and improperly scoped
• Private IP/Hostname disclosures or real IP disclosures for services using CDN
• Open ports that do not lead directly to a vulnerability
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Lack of DNS CAA and DNS-related configurations
• Weak Certificate Hash Algorithm
• Social engineering of Tide employees or contractors
• Any physical/wireless attempt against Tide property
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Open redirect – unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction

For the avoidance of doubt, any such report, incl. security vulnerabilities discovered that are not in compliance with this responsible disclosure policy, will deem proprietary rights of Tide and Tide will own all intellectual property rights there of with no liability nor whatsoever to the reporter. By submitting any such report, the reporter explicitly understands and agrees to this provision. This responsible disclosure policy is dated 1st October 2020 and may be periodically updated per Tide’s sole discretion. Therefore, please bookmark this page and check whether newest version of the policy is available prior to taking any action.