Cool Tabs - Responsible Vulnerability Disclosure Policy

Cool Tabs takes the security as a top priority. We are committed to ensuring your protection and privacy.

This vulnerability disclosure policy, which must be read in the context of the Cool Tabs Terms and Conditions, is intended for security researchers interested in reporting security vulnerabilities to Cool Tabs, and is intended to provide guidelines on how to responsibly report vulnerabilities to Cool Tabs.

If you believe you have discovered a vulnerability, that may compromise the confidentiality, integrity, or availability of a Cool Tabs site or application and the information handled therein, we urge you to report it to us as quickly as possible and not publicly disclose the vulnerability until it is fixed.

To encourage responsible disclosure, Cool Tabs will not take legal action in connection with your vulnerability detection activities on our systems, as long as you follow the guidelines in this policy.

Responsible Disclosure Guidelines

Notify Cool Tabs and provide us details of the vulnerability. Please provide us a reasonable time period to address the issue before public disclosure.
Provide an appropriate level of detail on the vulnerability to allow us to identify and reproduce the issue. Detail should include target URLs, request/response pairs, screenshots, and/or other information.
We will confirm your email and evaluate the validity and reproducibility of the issue. For valid issues, we will work to fix the issue and keep you appraised of progress.
Make a reasonable effort to avoid service disruption (e.g. DoS), privacy issues (i.e. accessing a Cool Tabs user’s data), and data destruction when performing vulnerability research.
Do not request compensation for security vulnerability reports either from Cool Tabs or external vulnerability marketplaces.
Do not phish or social engineer employees, partners, or users of Cool Tabs.
Do not run automated scanning tools and send us the output without confirming the issue is present. Security tools often output false positives that should be confirmed by the reporter.

Vulnerability Categories We Encourage

We are primarily interested in hearing about the following vulnerability categories:

Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
SQL Injection (SQLi)
Authentication related issues
Authorization related issues
Data Exposure
Redirection Attacks
Remote Code Execution
Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

Out of Scope Vulnerability Categories

The following vulnerability categories are considered out of scope of our responsible disclosure program and will not be eligible for credit on our researcher list:

DMARC, SPF records configuration
SSL vulnerabilities related to configuration or version
Denial of Service (DoS)
User enumeration
Brute forcing
Secure flag not set on non-sensitive cookies
HTTPOnly flag not set on non-sensitive cookies
Logout Cross Site Request Forgery (CSRF)
Issues only present in old browsers/old plugins
HTTP TRACE method enabled
Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
Clickjacking on pages without authentication and/or sensitive state changes
Vulnerability reports that require a large amount of user cooperation to perform unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

How to Report a Security Vulnerability

Please email help@cool-tabs.com to report security vulnerabilities to Cool Tabs. If you feel the email should be encrypted, our PGP key is available here: