The Doist bug bounty program is a critical component of our security efforts. We work hand-in-hand with folks who take the time to report issues that could put our customers’ security and privacy at risk.
If you've found vulnerabilities or security issues that we should know about, we'd love to work with you. You may even be eligible for a monetary reward based on its severity.
Pierre · Security Support Specialist
Read our bug bounty program guidelines thoroughly to know which type of security issues we’ll be able to reward. Then, send a report using our contact form. Reports submitted through our contact form will only be considered for a bounty reward.
Program rules
Bug hunting can be a time-consuming process. To save time and effort when submitting your report, follow the bug bounty program rules:
- Follow HackerOne’s disclosure guidelines.
- Delete any test data or accounts you have created as part of the research.
- Don’t attack or interact with customers.
- Don’t engage with stolen customer data, including credentials.
- Don’t use automated scans or testing, like DoS attacks.
- Don’t use social engineering attacks, like phishing.
- Don’t engage in physical testing of Doist employees or their equipment.
Any participant that doesn’t comply with the program rules are disqualified immediately.
Eligibility
You may be eligible to receive a monetary reward if:
- You’ve complied with all the program rules.
- You're the first person to submit a specific product vulnerability.
- The vulnerability is considered to be a valid security issue.
- You can provide additional information to reproduce and address the issue.
These are the eligible targets for vulnerabilities and security risks:
- www.todoist.com
- app.todoist.com
- www.twist.com
- Latest versions of Todoist and Twist for macOS, Windows, Linux, iOS and Android
For testing purposes, use todoistbounty@protonmail.com
as the victim account.
Note
The Doist Bug Bounty team retains the right to decide if the submitted vulnerability is eligible.
Rewards
All bounty amounts are determined by the Doist Bug Bounty team. They evaluate each report and assign a severity level that determines the amount of the monetary reward to be received.
App | None | Low | Medium | High | Critical |
---|---|---|---|---|---|
Todoist | $0 | $100 | $200 | $500 | $1000 |
Twist | $0 | $50 | $100 | $250 | $500 |
Bounties are paid out via PayPal, and the Bug Bounty team determines the final amount of the bounty. Vulnerabilities found in Todoist for Android and Wear OS may qualify for an additional bounty through the Google Play Security Rewards Program.
Issue severity
The severity levels are decided internally based on the type of vulnerability and potential impact. Here’s are sample reports for each severity level:
- Issues not related to security, such as non-200 HTTP response codes, application or server errors, etc.
- Issues without a clear security impact, such as logged-out CSRF, missing HTTP security headers, SSL issues, password policy issues, or clickjacking on pages with no sensitive actions.
- Issues affecting outdated applications or components, no longer in use or maintained
- Issues affecting third-parties, such as third-party apps or services we use (e.g., Firebase, ZenDesk)
- Issues involving Spam or Social Engineering techniques, such as SPF and DKIM, and lack of DNSSEC.
- Issues involving server information disclosure, namely `X-Powered-by` and `Server` response headers. Exceptions may exist whenever disclosed information contains a server version with an associated CVE disclosure.
- Issues involving server-side request forgery (SSRF) on services that perform active requests by design, unless it is proven that sensitive information can be leaked.
- Bugs requiring exceedingly unlikely user interaction. (eg. account takeover through SSO login)
- Reports that require privileged access to the target's devices or that are otherwise outside our control. These include but are not limited to: access to browser cookies and/or other tokens used to impersonate the user, access to user's email address, etc.
- Clickjacking issues that occur on pre-authenticated pages, or the lack of `X-Frame-Options`, or any other non-exploitable clickjacking issues.
- Cross-OriginResourceSharing (CORS) issues, where server does NOT respond with `Access-Control-Allow-Credentials: true` header.
- Missing rate limits, unless it can lead to an exploitable vulnerability.
- User email enumeration on sign up, log in, and forgot password pages.
- Files available in URIs with a path starting with `/.well-known` (also known as well-known URIs).
- 2FA bypass through password reset
- Specific to client apps
- User data stored unencrypted
- Lack of obfuscation
- Runtime hacking exploits that involve manipulation of running code or its environment
- Open redirections
- Server misconfiguration or provisioning errors
- Information leaks or disclosure excluding sensitive user data
- Cross-OriginResourceSharing (CORS) issues, where server responds with `Access-Control-Allow-Credentials: true` header to a request with 3rd party `Origin` header (i.e. not `*.todoist.com`, `*.twist.com`).
- Reflected XSS
- Mixed content issues, if the target URL doesn't respond with a 'Strict-Transport-Security' (aka HSTS) header. The risk still exists but is limited to a single interaction per domain/subdomain (depending on HSTS value). Web browsers have been transitioning to an HTTPS default, further mitigating this problem.
- Other low-severity issues
- CSRF / XSRF
- SSRF to an internal service
- Stored XSS
- Other medium-severity issues
- Information leaks or disclosure including sensitive user data
- Other high-severity issues
- SQL injection
- Remote code execution
- Privilege escalation
- Broken authentication
- SSRF to an internal service, resulting in critical security risk
- Other critical-severity issues
Submit a report
Ready to submit your bug bounty report? These are the steps:
- Open the Doist Bug Bounty contact form.
- Provide a detailed report that includes:
- Clear reproducible steps
- Impact on our products or customers
- Any test accounts you may have used
- Test data you gathered from your tests
- Report independent vulnerabilities in separate reports.
- Give the report a clear title that describes the vulnerability.
- Click Send to submit your report.
Any report without clear reproduction steps or that includes only proof of concept video may be ineligible for a reward.
Get in touch
If you have any issues with the Bug Bounty contact form, or have general questions about the bug bounty program that’s not addressed here, get in touch with us. We— Pierre, Evert, Marija, or any of our other teammates—will make sure you get the support you need.