Last Updated February 28, 2022
At TaxBit, Inc., we take security of our users' data very seriously. If you've discovered, or believe you've discovered, potential security vulnerabilities in the TaxBit product, we encourage you to disclose your discovery to us as quickly as possible in accordance with this Responsible Disclosure Program.
We'll work with you to validate and respond to security vulnerabilities that you report to us. Because public disclosure of a security vulnerability could put the entire TaxBit community at risk, we require you to keep such potential vulnerabilities confidential until we are able to address them. We won't take legal action against you or suspend or terminate your access to any TaxBit services, provided you discover and report security vulnerabilities in accordance with this Responsible Disclosure Program. TaxBit reserves all of its legal rights in the event of any noncompliance.
Capitalized terms that aren't defined in this Responsible Disclosure Program shall have the meaning set forth in our Terms of Service.
We encourage responsible security research on the TaxBit services and products. We allow you to conduct vulnerability research and testing on the TaxBit services to which you have authorized access.
In no event shall your research and testing involve:
Accessing, or attempting to access, accounts or data that do not belong to you or your Authorized Users
Any attempt to modify or destroy any data
Executing, or attempting to execute, a denial of service attack
Sending, or attempting to send, unsolicited or unauthorized email, spam, or other forms of unsolicited messages
Testing third-party websites, applications, or services that integrate with the TaxBit services
Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software, or otherwise attempting to interrupt or degrade the TaxBit services
Any activity that violates any applicable law
The following is a partial list of issues that we ask you not to report unless you believe there is an actual vulnerability:
CSRF on forms that are available to anonymous users
Disclosure of known public files or directories (e.g. robots.txt)
Domain Name System Security Extensions (DNSSEC) configuration suggestions
Banner disclosure on common/public services
HTTP/HTTPS/SSL/TLS security header configuration suggestions
Lack of Secure/HTTPOnly flags on non-sensitive cookies
Logout Cross-Site Request Forgery (logout CSRF)
Phishing or social engineering techniques
Presence of application or web browser 'autocomplete' or 'save password' functionality
Sender Policy Framework (SPF) configuration suggestions
HTTP/DNS cache poisoning
HTTP header injection
Security best practices without a real security impact
"HTTP Host Header" XSS
Lack of rate-limiting or Captcha
Denial of Service (DoS) attacks
SSL/TLS best practices
Vulnerabilities affecting outdated browsers or mobile binaries; only exploits working on the latest browser versions of Safari, FireFox, Chrome, Edge, IE, and the versions of our application that are currently in app stores will be accepted
If you believe you've discovered a security vulnerability issue, please share the details with TaxBit by submitting the form below.
TaxBit will acknowledge receipt of your report within 2 business days, provide you with an estimated timetable for resolution of the vulnerability, notify you when the vulnerability is fixed, and—with your permission—publicly acknowledge your responsible disclosure.
Email communication between you and TaxBit—including, without limitation, emails you send to TaxBit reporting a potential security vulnerability—shouldn't contain any of your proprietary information. The contents of all email communication you send to TaxBit shall be considered non-proprietary.
TaxBit, or any of its affiliates, may use such communication or material for any purpose whatsoever including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting.
Further, TaxBit and its affiliates are free to use any ideas, concepts, know-how, or techniques contained in any communication or material you send to TaxBit for any purpose whatsoever including, but not limited to, fixing, developing, manufacturing, and marketing products.
By submitting any information, you're granting TaxBit a perpetual, royalty-free and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer, and sell such information.