Responsible Disclosure

Tide believes in keeping its members data secure and private. We acknowledge the valuable role that independent security researchers play in security and, as a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or product. Tide welcomes feedback from the security community on its product, platform and website to help keep our business and members safe. If you have information related to security vulnerabilities discovered within Tide products and services, please submit a report in accordance with our Responsible Disclosure Policy.

Responsible Disclosure Policy

Our Responsible Disclosure Policy allows for security testing to be conducted by anyone in the security community with safe communication of those results. If any vulnerabilities are identified please report them to Tide using following two ways:

  1. The HackerOne form provided at the end of this page or you can directly visit our bug bounty program on Hackerone and submit report at

  2. You can mail us at using the following PGP to encrypt the message and any attachments:



We welcome your support to help us address any security issues, both to improve our products and protect our members.

What we would like to see from you:

Your reports will be reviewed and validated by a member of the Tide Security team. Providing clear and concise steps to reproduce the issue will help to expedite the response. As a minimum, your report must include:

Test Plan

If you are legally resident in a country in which Tide offers business accounts and meet the necessary criteria for an account in that region you may sign up for an account using promocode “HACKERONE”. Once your request for an account is approved via our normal “Know Your Customer” (KYC) processes you may use this account to perform exploratory testing of all API’s listed in the program scope below. If your request for an account is denied for any reason we are not able to facilitate testing accounts but you may still perform unauthenticated testing on any public API’s or applications listed in the program scope.

We would consider being able to create an account without going through our KYC processes to be a critical severity issue.

Identifying Yourself

It is likely that traffic generated by researchers will be categorised as malicious. Identifying your traffic will help us classify the traffic accordingly. We request that this is done by adding the following header to your request:

X-Hackerone: username

In Scope

Out of Scope

Out of scope vulnerabilities

When reporting vulnerabilities, please consider both the attack scenario/exploitability and the impact of the vulnerability. The following issues are considered out of scope:

Submit report:

Please use the below form to submit vulnerability report:

If you have questions you can reach out to us through .

For the avoidance of doubt, any such report, incl. security vulnerabilities discovered that are not in compliance with this responsible disclosure policy, will deem proprietary rights of Tide and Tide will own all intellectual property rights there of with no liability nor whatsoever to the reporter. By submitting any such report, the reporter explicitly understands and agrees to this provision. This responsible disclosure policy is dated 1st October 2020 and may be periodically updated per Tide’s sole discretion. Therefore, please bookmark this page and check whether newest version of the policy is available prior to taking any action.