Report a Security or Privacy Vulnerability
TaxDome’s Bug Bounty Policy applies to security vulnerabilities found within its public-facing online environment.
Purpose
The purpose of the Policy is to establish the rules for the review, evaluation, application, and verification of system updates to mitigate vulnerabilities in the IT environment and the risks associated with them. If you believe you have discovered a security or privacy vulnerability in the TaxDome product, please report it to us.
Disabling Cookies
You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of the this site. Therefore it is recommended that you do not disable cookies.
Bounty Eligibility
Any security researcher is required not to take any destructive action that could result in:
- Loss of data from other users
- Denial of Service for other users
- Add to any Block List
In case you suspect that a vulnerability of this kind exists, please report to the TaxDome development team here.
Severity levels
We classify vulnerabilities based on their potential impact on our systems. This helps us prioritize fixes and determine appropriate rewards. The severity levels are:
- SEV-1 (low severity): there’s no way to exploit the vulnerability currently, but it has potential weaknesses that could be exploited in the future.
- SEV-2 (medium severity): the vulnerability allows an attacker to have a minor or limited impact on system operation. This might involve limited data access or bypassing minor restrictions.
- SEV-3 (high severity): the vulnerability significantly impacts the operation of the entire system or allows an attacker to circumvent restrictions on a limited set of data.
- SEV-4 (critical severity): the vulnerability significantly impacts the entire system or allows easy access to a significant amount of data by an attacker.
- SEV-5 (extreme severity): the vulnerability grants an attacker complete and undetectable access to the system.
Examples of Vulnerabilities by Severity
Here are some examples of vulnerabilities classified by their severity level:
- SEV-1 (low severity): HTML injection/malicious code/URL injection; open redirect
- SEV-2 (medium severity): DOS (denial of service) attack possibility; employee without necessary rights can get access to the organizer and organizer template
- SEV-3 (high severity): an attacker can steal a user’s clients and can link the clients to their contacts via IDOR (Insecure Direct Object References)
- SEV-4 (critical severity): an attacker can get unauthorized access to delete invoices of all users via IDOR
- SEV-5 (extreme severity): an attacker can inject arbitrary code that allows them to completely take over a user’s account, steal their data, and perform actions undetected on their behalf
Protecting Our Clients from Phishing
TaxDome is committed to protecting our clients from phishing attacks. Phishing emails are fraudulent attempts to trick recipients into revealing sensitive information, such as usernames, passwords, or financial data. Sometimes, these emails appear to be from legitimate sources, such as a firm owner using TaxDome.
What to Look Out For
Phishing emails can be very convincing, but there are some red flags to watch out for:
- The email address might look similar to a legitimate sender but have slight variations (e.g. one extra character or a different domain name)
- The email might address you generically instead of by your name
- The email might create a sense of urgency or pressure to act quickly
- Phishing emails often contain grammatical errors or typos
If you receive a suspicious email claiming to be from your firm owner or TaxDome, please do not click on any links or attachments.
Reporting Phishing Attempts
While we appreciate your vigilance, please note that reports about phishing attempts are not eligible for our Bug Bounty program. Our program focuses on identifying vulnerabilities within the TaxDome platform itself.
Program Rules
Please note that we only pay fees for original reports. If a duplicate is registered, we will inform you when the first report is filed.
Ineligible Reports:
- Everything that is not under our control (third-party services, including but not limited to Site.pro, featureOS, Intercom, Beamer, Customer.io)
- Everything that requires physical access to device or network
- Everything that requires outdated versions of software or hardware
- Social engineering, phishing etc.
- Recommendations and best practices, as long as there is no specific exploit
How to Report Security or Privacy Vulnerabilities?
- If you believe you have discovered a security or privacy vulnerability that affects TaxDome software, services, or web servers, please report it to us.
- We welcome reports from everyone, including security researchers, developers, and customers.
- To report a security or privacy vulnerability, please report to us here and include relevant videos, crash logs, and system diagnosis reports in your report.
- You’ll receive a reply from TaxDome to acknowledge that we received your report. We’ll contact you if we need more information within 10 business days.