TaxDome wins Comprehensive Firm Workflow Solutions — CPA Practice Advisor Readers’ Choice Awards 2024. Read more

🔥 Join in-depth webinars to get up to speed on automations, invoicing and team collaboration. Learn more

Bug Bounty

Report a Security or Privacy Vulnerability

TaxDome’s Bug Bounty Policy applies to security vulnerabilities found within its public-facing online environment.

Purpose

The purpose of the Policy is to establish the rules for the review, evaluation, application, and verification of system updates to mitigate vulnerabilities in the IT environment and the risks associated with them. If you believe you have discovered a security or privacy vulnerability in the TaxDome product, please report it to us.

Disabling Cookies

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of the this site. Therefore it is recommended that you do not disable cookies.

Bounty Eligibility

Any security researcher is required not to take any destructive action that could result in:

  • Loss of data from other users
  • Denial of Service for other users
  • Add to any Block List

In case you suspect that a vulnerability of this kind exists, please contact TaxDome development team at help@taxdome.com.

Severity levels

We classify vulnerabilities based on their potential impact on our systems. This helps us prioritize fixes and determine appropriate rewards. The severity levels are:

  • SEV-1 (low severity): there’s no way to exploit the vulnerability currently, but it has potential weaknesses that could be exploited in the future. 
  • SEV-2 (medium severity): the vulnerability allows an attacker to have a minor or limited impact on system operation. This might involve limited data access or bypassing minor restrictions.
  • SEV-3 (high severity): the vulnerability significantly impacts the operation of the entire system or allows an attacker to circumvent restrictions on a limited set of data.
  • SEV-4 (critical severity): the vulnerability significantly impacts the entire system or allows easy access to a significant amount of data by an attacker.
  • SEV-5 (extreme severity): the vulnerability grants an attacker complete and undetectable access to the system. 

Examples of Vulnerabilities by Severity

Here are some examples of vulnerabilities classified by their severity level: 

  • SEV-1 (low severity): HTML injection/malicious code/URL injection; open redirect
  • SEV-2 (medium severity): DOS (denial of service) attack possibility; employee without necessary rights can get access to the organizer and organizer template
  • SEV-3 (high severity): an attacker can steal a user’s clients and can link the clients to their contacts via IDOR (Insecure Direct Object References)
  • SEV-4 (critical severity): an attacker can get unauthorized access to delete invoices of all users via IDOR 
  • SEV-5 (extreme severity): an attacker can inject arbitrary code that allows them to completely take over a user’s account, steal their data, and perform actions undetected on their behalf

Protecting Our Clients from Phishing

TaxDome is committed to protecting our clients from phishing attacks. Phishing emails are fraudulent attempts to trick recipients into revealing sensitive information, such as usernames, passwords, or financial data. Sometimes, these emails appear to be from legitimate sources, such as a firm owner using TaxDome.

What to Look Out For

Phishing emails can be very convincing, but there are some red flags to watch out for:

  • The email address might look similar to a legitimate sender but have slight variations (e.g. one extra character or a different domain name)
  • The email might address you generically instead of by your name
  • The email might create a sense of urgency or pressure to act quickly
  • Phishing emails often contain grammatical errors or typos

If you receive a suspicious email claiming to be from your firm owner or TaxDome, please do not click on any links or attachments.

Reporting Phishing Attempts

While we appreciate your vigilance, please note that reports about phishing attempts are not eligible for our Bug Bounty program. Our program focuses on identifying vulnerabilities within the TaxDome platform itself.

Program Rules

Please note that we only pay fees for original reports. If a duplicate is registered, we will inform you when the first report is filed.

Ineligible Reports:

  • Everything that is not under our control (third-party services, including but not limited to Site.pro, featureOS, Intercom, Beamer, Customer.io)
  • Everything that requires physical access to device or network
  • Everything that requires outdated versions of software or hardware
  • Social engineering, phishing etc.
  • Recommendations and best practices, as long as there is no specific exploit

How to Report Security or Privacy Vulnerabilities?

  1. If you believe you have discovered a security or privacy vulnerability that affects TaxDome software, services, or web servers, please report it to us.
  2. We welcome reports from everyone, including security researchers, developers, and customers.
  3. To report a security or privacy vulnerability, send an email to security@taxdome.com and include relevant videos, crash logs, and system diagnosis reports in your message.
  4. You’ll receive a reply from TaxDome to acknowledge that we received your report. We’ll contact you if we need more information within 10 business days.

Last updated July 4, 2024