Please thoroughly read our policy as it clarifies which type of security issues we will be able to reward. Only reports submitted through our contact form (accessible through the button at the bottom of this page) will be considered for a bounty reward.
At Doist, our bug bounty program is a critical component of our security efforts. If you've found a security issue that you believe we should know about, we'd love to work with you. Your efforts may be eligible for a monetary reward.
- You must be the first to report the issue in order to be eligible for a bounty.
- You must be available to supply additional information, as needed by our team, to reproduce and address the issue.
- Follow HackerOne’s disclosure guidelines.
- Delete any test data or accounts you have created as part of the research.
- Don’t attack or interact with end-users.
- Don’t engage with stolen user data, including credentials.
- Don’t use automated scans or testing, including DoS attacks.
- Don’t use social engineering attacks, such as phishing.
- Don’t engage in physical testing of Doist employees or their equipment.
Failure to comply with these rules results in immediate disqualification.
- Current versions of Todoist and Twist for Windows, macOS, Linux, iOS and Android
- For testing purposes, please use firstname.lastname@example.org as the victim account.
Submitting your report
- Provide a detailed report including clearly reproducible steps, the impact on our products and/or our users, and any test accounts you may have used along with test data.
- Make sure to report independent vulnerabilities in separate tickets.
- Make sure to give your report a clear title that describes the vulnerability.
- Your submission must include written instructions for reproducing the vulnerability. Any report without clear reproduction steps or that includes only a video PoC may be ineligible for a reward.
- You are the first person to submit a product vulnerability
- The vulnerability is considered to be a valid security issue by our team
- You have complied with all Program Rules
All bounty amounts will be determined by our team, who will evaluate each report and assign a severity level that determines the amount of the monetary reward to be received. The severity levels are decided internally based on the type of vulnerability and potential impact. Below you can find an overview of samples for each severity level:
Severity level: None — no reward
- Issues not related to security, such as non-200 HTTP response codes, application or server errors, etc.
- Issues without a clear security impact, such as logged-out CSRF, missing HTTP security headers, SSL issues, password policy issues, or clickjacking on pages with no sensitive actions.
- Issues affecting outdated applications or components, no longer in use or maintained
- Issues affecting third-parties, such as third-party apps or services we use (e.g., Firebase, ZenDesk)
- Issues involving Spam or Social Engineering techniques, such as SPF and DKIM, and lack of DNSSEC.
- Issues involving server information disclosure, namely `X-Powered-by` and `Server` response headers. Exceptions may exist whenever disclosed information contains a server version with an associated CVE disclosure.
- Issues involving server-side request forgery (SSRF) on services that perform active requests by design, unless it is proven that sensitive information can be leaked.
- Bugs requiring exceedingly unlikely user interaction. (eg. account takeover through SSO login)
- Reports that require privileged access to the target's devices or that are otherwise outside our control. These include but are not limited to: access to browser cookies and/or other tokens used to impersonate the user, access to user's email address, etc.
- Clickjacking issues that occur on pre-authenticated pages, or the lack of `X-Frame-Options`, or any other non-exploitable clickjacking issues.
- Cross-OriginResourceSharing (CORS) issues, where server does NOT respond with `Access-Control-Allow-Credentials: true` header.
- Missing rate limits, unless it can lead to an exploitable vulnerability.
- User email enumeration on sign up, log in, and forgot password pages.
- Files available in URIs with a path starting with `/.well-known` (also known as well-known URIs).
- Specific to client apps
- User data stored unencrypted
- Lack of obfuscation
- Runtime hacking exploits that involve manipulation of running code or its environment
Severity level: Low
- Open redirections
- Server misconfiguration or provisioning errors
- Information leaks or disclosure excluding sensitive user data
- Cross-OriginResourceSharing (CORS) issues, where server responds with `Access-Control-Allow-Credentials: true` header to a request with 3rd party `Origin` header (i.e. not `*.todoist.com`, `*.twist.com`).
- Reflected XSS
- Mixed content issues, if the target URL doesn't respond with a 'Strict-Transport-Security' (aka HSTS) header. The risk still exists but is limited to a single interaction per domain/subdomain (depending on HSTS value). In 2021 browsers have been transitioning to an HTTPS default, further mitigating this problem.
- Other low-severity issues
Severity level: Medium
- CSRF / XSRF
- SSRF to an internal service
- Stored XSS
- Other medium-severity issues
Severity level: High
- Information leaks or disclosure including sensitive user data
- Other high-severity issues
Severity level: Critical
- SQL injection
- Remote code execution
- Privilege escalation
- Broken authentication
- SSRF to an internal service, resulting in critical security risk
- Other critical-severity issues
Vulnerabilities on our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program.
All bounties are paid out via PayPal.
Doist’s team retains the right to determine if the submitted vulnerability is eligible.
All determinations as to the amount of a bounty made by the Doist Bug Bounty team are final.