HackerOne Policy

Introduction

Grindr is excited to be working with the HackerOne security community to help find security vulnerabilities. We are happy to work together to keep Grindr and our users safe. Please report security issues or concerns you find and note the "Out of Scope Vulnerabilities" and "Bounties and Rewards" sections to understand how we reward findings.

Please note that this service is only for the submission of technical security issues. If you need help with a support issue (account, billing, safety, privacy etc.), please reach out to our help center: https://help.grindr.com/hc/en-us/requests/new

Here are some safety & privacy tips: https://help.grindr.com/hc/en-us/categories/1500001110042-Safety-Privacy

Grindr Security Vulnerability Reporting Program Terms

Your participation in our Security Vulnerability Reporting Program is voluntary. By joining our Security Vulnerability Reporting Program, submitting a report, or otherwise disclosing a vulnerability to us (“Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”).

If (i) you do not meet the eligibility requirements below; (ii) you breach any of these Program Terms or any other agreements you have with Grindr or its affiliates; or (iii) we determine that your participation in our Security Vulnerability Reporting Program could adversely impact us, our affiliates, or any of our users, employees, or agents, we, in our sole and absolute discretion, may remove you from our Security Vulnerability Reporting Program and disqualify you from receiving any benefit of our Security Vulnerability Reporting Program.

Confidentiality

Any information you receive, collect or otherwise obtain about us, our services, our affiliates or any of our users, employees, or agents in connection with our Security Vulnerability Reporting Program (whether after or before you joined the Security Vulnerability Reporting Program, notably as a result of you finding and/or investigating a security bug in our in-scope applications or infrastructure) (“Confidential Information”) must be kept confidential, only used in connection with the Security Vulnerability Reporting Program, and not disclosed to any third party. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your participation in our Security Vulnerability Reporting Program and any Submission.

By joining and participating in our Security Vulnerability Reporting Program, you represent and warrant that you have not used and will not use Confidential Information for any purpose other than in connection with the Security Vulnerability Reporting Program and that you have not shared and will not share such Confidential Information with any third party.

Once a Submission is made, Grindr reserves the right to request from you, and you already accept to abide by this request, to securely and irreversibly delete any data related to such Submission, including, without limitation, any data about us, our services, our affiliates, or any of our users, employees, or agents. Additionally, you agree to securely and irreversibly delete any data related to the Submission immediately upon it no longer being reasonably necessary to retain for the purposes of conveying the impact or scope of the reported issue, after verifying with Grindr that it is no longer necessary, and/or if the Submission is closed, regardless of outcome.

Eligibility to Participate

To participate in our Security Vulnerability Reporting Program, you must:

• Be at least 18 years of age.
• Not be a resident of, or make a Submission to our Security Vulnerability Reporting Program from, a country against which the United States has issued export sanctions or other trade restrictions.
• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Security Vulnerability Reporting Program.
• Not be employed by Grindr or any of its affiliates or an immediate family member of a person employed by Grindr or any of its affiliates.

You are responsible for any tax implications of a bounty or reward from our Security Vulnerability Reporting Program in accordance with your country of residency and citizenship.

Response Targets

Grindr will make a best effort to meet the following SLAs for hackers participating in our program:

We will try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a bounty.

• Submit one clear vulnerability per report, unless you need to chain vulnerabilities to provide impact. Include attachments such as screenshots, videos and proof of concept code as necessary.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• If multiple vulnerabilities are caused by one underlying issue, only the first reported that meets our submission requirements will be accepted.
• Social engineering (e.g. phishing, vishing, smishing or physical attacks against our employees, users or infrastructure) is prohibited.
• Make a good faith effort to avoid privacy violations, unauthorized destruction of data, and/or interruption or degradation of our service.
• Only interact with accounts you own or with the explicit permission of the account holder.
• Do respect our users’ privacy.
• Please do not interact with real users during your testing.
• Do not leak, manipulate, or destroy any user data.
• Please only test against accounts you own yourself or with explicit permission of the account holder.
• Do not attempt to elevate privileges, or explore a system beyond the minimum necessary to prove access or attempt to pivot in any way. This will disqualify you from receiving a bounty.
• Do not leave any system in a more vulnerable state than you found it.
• If you encounter unanticipated access or viewing of user personal information, cease further testing and make your Submission immediately.
• Do not mass create accounts to perform testing against our applications and services. Creating a few accounts for testing is not a problem.
• Do not publicly disclose vulnerabilities without our explicit consent.
• Do be respectful when interacting with our team.
• Do not extort us.

Test Plan

• Grindr is taking a black-box testing approach.
• Issues with the higher severity and higher bounties as described in the "Treasure Map" involve finding vulnerabilities in the mobile app and how it uses the backend API's. Focus on defeating the certificate pinning used in the mobile app to find these higher severity issues.
• You may create your own Grindr accounts for testing purposes provided you are at least 18 years of age or the age of majority in your jurisdiction.
• When using test accounts you should only be able to see personal information that other Grindr users have allowed you to see via their account configuration. Avoid interacting with real users and instead please setup multiple test accounts when you try and identify if it is possible to access too much information from another test user's account or identify issues with features like chatting.
• We encourage you to also perform penetration testing on administrative systems that are not part of the core app, provided they are not excluded subdomains of grindr.com, grindr.io, grindr.mobi, and grindr.work, and not those of any of Grindr’s third party service providers.

Bounties and Rewards

Our bounties and rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). If an issue is low priority, CVSS scoring may not be used and a small bounty may be provided. Please note these are general guidelines. Bounty and reward decisions are up to the discretion of Grindr.

Treasure Map

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

The following tables highlight the severity associated with different types of security issues, assuming they are not specified as being “out-of-scope”.
Note that sensitive and personal data includes private chats or media (photos, videos, audio, etc.) that users share with each other. It also includes location information beyond what is normally provided within the Grindr application.

Out of Scope Vulnerabilities

Bounties are typically not given for vulnerabilities reported that are out-of-scope in any of the following ways. Exceptions may be made for vulnerabilities that have a proof-of-concept that demonstrates a significant attack (like a breach or access to sensitive data).

• Attacks on other Grindr users requiring MITM or physical access of another user's device.
• Outdated DNS entries or Subdomain Takeover.
• The ability to obtain multiple promotional items by opening multiple accounts.
• Most GPS spoofing related issues.
• Third-party API Keys/Secrets embedded in mobile applications, without a clear impact, as many third-parties require this for their own client attribution purposes.
• Ability to access user data that is intentionally exposed in Grindr API responses.
• Spamming.
• Any activity that could lead to the disruption of our service (DoS).
• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions or minimal security implication (logout CSRF for example).
• Missing or weak configuration for HTML security headers or usage of attributes or flags (Content Security Policy, cookie flags, etc.).
• Service hardening recommendations without a clear security impact. This includes lack of, or weak, Captcha or rate limiting usage. This includes brute forcing that improper rate limiting can allow.
• Bypassing Cloudflare or accessing origin servers for low-risk assets (like those that do not support authorization, authentication or user session features).
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
• Software version disclosure / Banner identification issues / Descriptive error messages or headers. This includes headers or endpoints identifying web server type/version/etc, web server status, application or server errors. This includes stack traces or overly verbose responses unless it exposes an exploit that can be demonstrated.
• Vulnerabilities only affecting users of outdated or unpatched browsers (more than 2 stable versions behind the latest released stable version).
• Mobile client issues requiring a rooted device and/or outdated OS version. This includes ways to bypass the Grindr PIN on mobile devices if you have access to root.
• Situations where a blocked user is able to continue seeing old messages or information from a deleted user or user who blocked them. We are aware of such corner cases and are working to fix them.
• Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc.
• Missing best practices in SSL/TLS configuration.
• Previously known vulnerable libraries without a working Proof of Concept.
• Disclosure of known public files or directories (.htaccess, robots.txt, etc.).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Tabnabbing.
• Open redirect - unless an additional security impact can be demonstrated.
• Self-XSS.
• Attacks that only affect the user hacking their own use or accounts associated with the same email or mobile number.
• Lack of certificate pinning or HSTS.
• Homographs, RTLO, or other types of UI issues.
• Issues that require unlikely user interaction.
• Dependency takeovers without a clear indication that Grindr services have been affected.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Long-expired account reset tokens found with this Google search: "site:grindr.com inurl:resetToken".
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
• Leaked credentials will be closed as informative only unless deemed extremely sensitive, in which case they will be assessed on a case-by-case basis.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Program Updates and Licenses

We may modify the Program Terms or cancel our Security Vulnerability Reporting Program at any time in our sole and absolute discretion.

As a condition of participation in our Security Vulnerability Reporting Program, you hereby grant Grindr and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable, and exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale, and import the Submission, as well as any materials submitted to Grindr in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission.

Thank you for helping keep Grindr and our users safe!