Tucows Vulnerability Disclosure Program

Introduction

Tucows looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Welcome to the Tucows Vulnerability Disclosure Program!

At Tucows we take security seriously. If you believe that you have found a security vulnerability in any of the systems in scope, please report it to us using the "Submit Report" button on this page.

Tucows appreciates your participation in this program and looks forward to your findings.

Program Highlights

Open Scope — Accepts reports for all owned assets based on impact, even if not listed in scope.

Gold Standard Safe Harbor — Adheres to Gold Standard Safe Harbor.

Coordinated Vulnerability Disclosure Standard — Follows standard coordinated vulnerability disclosure practices.

Top Response Efficiency — This program's response efficiency is above 90%.

Response Metrics

• Average time to first response: 9 hours
• Average time to triage: 3 days, 10 hours
• Average time to resolution: 3 weeks, 5 days

Disclosure Policy

Please follow HackerOne's Vulnerability Disclosure Guidelines at https://www.hackerone.com/terms/disclosure-guidelines

Scope Exclusions

Core Ineligible Findings are out of scope per https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings

Subdomains under tucows.com

At this point we do not accept reports for subdomains under tucows.com (*.tucows.com). This includes but is not limited to subdomain takeovers, directory listings, wordpress installs, publicly accessible software archives.

Support Websites

We do not take reports for our support sites. These websites are hosted by a third party:

• support.ascio.com
• support.hover.com
• support.opensrs.com
• support.enom.com
• support.exacthosting.com

Please redirect reports for these sites to the H1 program for the vendor at https://hackerone.com/freshworks

InfoStealer, Third-party Breaches, Malware Stealer Credentials

Reports involving credentials harvested via malware, phishing, or third-party breaches are out of scope and not eligible for reward.

While these findings are not in scope for this program, we take credential leaks and data exposure seriously. If you do discover such information, please share it with us as informational—it helps inform our internal monitoring and remediation processes.

Safe Harbour

Tucows supports a transparent, respectful, and collaborative approach to vulnerability disclosure. If you follow this policy in good faith, we consider your security research authorized and will not take legal action.

Thank you for helping keep Tucows and our users safe!