• Always conduct testing ethically and legally.
• Do not publicly disclose the vulnerability without obtaining explicit consent from TMF Group.
• Never attempt to access, modify, delete, or store user data.
• If using automated tools or scripts, ensure they do not cause harm or excessive traffic to our platforms.
• Use only your own accounts for testing. Do not interact with or exploit other real users' accounts.
• If you find multiple vulnerabilities, report them sequentially and not simultaneously, giving us time to respond.
• Do not conduct tests that may degrade our services or impact our users.

• Age: Participants must be 18 years or older at the time of entry.
• Affiliation: Individuals affiliated with TMF Group, including employees, contractors, and their immediate families, are not eligible to participate.
• Country of Residence: While we accept submissions globally.
• Compliance: Researchers must be in full compliance with all terms and conditions of the TMF Group Bounty Initiative.

Authentication & Session Management

• Failure to Invalidate Session on Password Reset and/or Change
• Insufficient session expiration
• Login or Forgot Password page brute force and account lockout not enforced
• Logout Cross-Site Request Forgery (logout CSRF)
• Missing reCAPTCHA/RateLimit
• Rate limiting or brute-force issues
• Testing for weak credentials
• User Enumeration issues

Information Disclosure

• Disclosure of IP addresses
• Disclosure of known public files or directories (e.g., robots.txt)
• Software version disclosure / Banner identification issues / Descriptive error messages or headers
• Debug information disclosure on the development, UAT, staging etc environment
• Disclosure of debug information that does not pose a security risk
• Partial source code disclosure through debug information
• Public Google API keys used for Maps disclosure
• Public API keys intentionally exposed for analytics or error reporting purposes (e.g., DataDog client tokens)
• Leaked credentials from dark web sources
• Data or credential leaks from sources that do not originate from a vulnerability in our in-scope products

Security Misconfigurations

• Missing best practices in Content Security Policy
• Missing HTTP security headers (e.g., Strict-Transport-Security, X-Frame-Options, etc.)
• Missing HttpOnly or Secure flags on cookies
• SSL/TLS related issues
• Using known vulnerable components
• Vulnerabilities were related to outdated, unpatched browsers or operating systems

Injection & Spoofing

• Comma Separated Values (CSV) injection
• Content spoofing and text injection issue
• Self XSS

Access Control & Redirection

• Open redirect - unless an additional security impact can be demonstrated
• Subdomain-takeovers
• Tabnabbing

Testing & Exploit Limitations

• Theoretical issues that are not exploitable, or cannot be demonstrated as exploitable
• Potential post-exploitation scenarios (must be reported immediately)
• Issues that require unlikely user interaction

Email & Communication Protocols

• Attacks related to email servers, email protocols, and email security (e.g., SPF, DMARC, DKIM, or email spam)
• Email bombing/Flooding/rate limiting

Third-Party & External Services

• Third-party services that are not owned by TMF-Group
• TMF-Group Related Public Repos on various platforms

Denial of Service & Disruption

• Any activity that could lead to the disruption of our service (DoS), including stress-testing or load-testing tools

Social Engineering

• Social engineering (e.g. phishing, vishing, smishing) is prohibited

Broken Links & Hijacking

• Broken link hijacking issues
• Broken Link Submissions (Includes Hijacking of broken links)

UI-Based Vulnerabilities

• Clickjacking/UI redressing/TapJacking
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Carefully review and understand the rules and scope of the bug bounty program. Each program has specific guidelines, eligibility criteria, and a defined scope of systems, applications, or services that are in-scope for testing. Focus your efforts on these areas to ensure your findings are eligible for rewards.

When reporting a vulnerability, commit to providing clear and comprehensive details to help the organization reproduce and validate your findings. Include step-by-step instructions, proof-of-concept code if applicable, and any other relevant information that can assist the organization's security team in understanding and verifying the issue.

Engage in professional communication with the organization's security team. Be responsive to any requests for clarification, additional information, or coordination during the vulnerability verification process. Maintain open and respectful communication throughout the entire process, understanding that both parties are working together to improve security.

Always adhere to responsible disclosure practices. When you discover a vulnerability, avoid exploiting it for malicious purposes or sharing it with unauthorized parties. Instead, immediately report the vulnerability to the program organizers following the reporting process outlined in the program guidelines. This allows the organization to address the issue before potential harm can occur.

Researchers participating in our programs are expected to adhere to specific Safe Harbor provisions. They are assured Legal Protection; by complying with all program terms, they're granted a legal safe harbor, ensuring they won't face lawsuits or legal actions for their reported findings. Participants also commit to Responsible Disclosure, providing ample time to address and rectify vulnerabilities and doesn't disclose any findings publically what so ever. Testing should be confined only to systems they have explicit authorization to assess. Furthermore, during the assessment, data access should be minimized, focusing only on what's necessary to validate a vulnerability, and retaining no user data beyond what is absolutely required.