Tiquo Bug Bounty Program

At Tiquo, we take the security of our platform seriously. We value the work of security researchers and welcome responsible disclosure of vulnerabilities. If you discover a security issue, we'd like to hear from you.

How It Works

1

You discover a potential security vulnerability in a Tiquo product.

2

You submit a detailed report to our security team.

3

We acknowledge your report within 2 business days.

4

Our team investigates, reproduces, and classifies the severity of the issue.

5

We notify you of our classification and the reward amount.

6

Payment is issued within 30 days of classification.

All severity classifications and reward amounts are determined by Tiquo after submission. We assess every report individually based on the real-world impact, exploitability, and scope of the vulnerability.

What's in Scope

Our bug bounty program covers the following:

  • tiquo.co and all subdomains
  • Tiquo API endpoints
  • Tiquo iOS and Android mobile applications
  • Tiquo.app webapp / dashboard
  • Authentication and authorization flows
  • Payment and data handling processes
  • Tiquo hardware

What's Out of Scope

The following are not eligible for rewards:

  • Third-party services or integrations not owned by Tiquo
  • Social engineering or phishing attacks against Tiquo employees
  • Denial of service (DoS/DDoS) attacks
  • Spam or rate-limiting issues with no direct security impact
  • Vulnerabilities requiring outdated browsers or platforms
  • Issues that have already been reported or are already known to us

Reward Tiers

We classify all submissions into four severity levels. The final reward is determined by Tiquo based on the quality of the report, the severity of the vulnerability, and the potential impact to our users.

Critical
£1,000 to £10,000

Vulnerabilities that could cause severe, company-wide damage. This includes remote code execution, full database access, authentication bypass granting access to all user accounts, payment system compromise, or mass exfiltration of personal or financial data.

High
£150 to £1,000

Significant vulnerabilities that affect individual users or expose sensitive data. This includes privilege escalation, stored cross-site scripting in sensitive contexts, insecure direct object references exposing other users' data, or broken access controls on API endpoints.

Medium
£50 to £150

Vulnerabilities that require specific conditions or user interaction to exploit. This includes reflected cross-site scripting, cross-site request forgery on sensitive actions, information disclosure of internal system data, or misconfigured CORS policies.

Low
£10 to £50

Minor issues with limited security impact. This includes missing security headers, verbose error messages exposing internal details, clickjacking on non-sensitive pages, or outdated software versions with no known exploit path.

Bonus Awards

Tiquo reserves the right to award bonuses above the stated ranges for exceptional reports. Factors that may qualify a submission for a bonus include particularly well-written reports with clear reproduction steps, vulnerabilities with widespread impact across multiple systems, creative exploitation chains that reveal deeper architectural issues, or researchers who work closely with our team during remediation. Bonus amounts are determined on a case-by-case basis.

Submission Guidelines

To help us investigate quickly, please include the following in your report:

  • 1
    A clear description of the vulnerability
  • 2
    Step-by-step reproduction instructions
  • 3
    The affected URL, endpoint, or application screen
  • 4
    Your testing environment (browser, OS, device)
  • 5
    Screenshots or proof-of-concept code where possible
  • 6
    Your assessment of the potential impact

Please submit one vulnerability per report. If you've found multiple issues, send a separate report for each.

Rules of Engagement

  • 1
    Do not access, modify, or delete data belonging to other users.
  • 2
    Do not run automated scanning tools against production systems without prior written approval from Tiquo.
  • 3
    Do not publicly disclose any vulnerability before Tiquo has resolved it and provided written approval for disclosure.
  • 4
    Allow a minimum of 90 days for investigation and remediation before any disclosure.
  • 5
    Act in good faith at all times.

Safe Harbour

Security researchers who act in good faith and follow the rules above will not face legal action from Tiquo. We consider responsible security research conducted in line with this policy to be authorised activity. We will not pursue civil or criminal action against researchers who comply with this program.

Contact

Submit your reports to:

security@tiquo.co

We aim to acknowledge all submissions within 2 business days and provide an initial assessment within 10 business days.

We use cookies

We use cookies to improve your experience on our site. By continuing to browse, you agree to our use of cookies.

Learn more