Manage cookies
We use cookies to provide you with a better user experience and measure our advertising performance. For more details, see the Cookie Policy.
Cookie settings
Cookies necessary for the website's correct operation are always enabled.
Other cookies are configurable.
Essential cookies
Always Enabled
Always On. These cookies are essential so that you can use the website and use its functions. They cannot be turned off. They're set in response to requests made by you, such as setting your privacy preferences, logging in or filling in forms.
Analytics cookies
Disabled
These cookies collect information to help us understand how our websites are used or how effective our marketing campaigns are, and how we can customize our websites for you. See the list of the analytics cookies we use here.
Advertising cookies
Disabled
These cookies provide advertising companies with information about your online activity to help them deliver more relevant online advertising to you or to limit how many times you see an ad. This information may be shared with other advertising companies.
Functional cookies
Disabled
These cookies save the settings of the website visitors, users, and their representatives in order to track the promo campaign performance.
Ok
SIGN UP
TILDA PUBLISHING

Tilda Bug Bounty Program

~
1. Overview
We actively work with security researchers and offer rewards for finding vulnerabilities in the Tilda platform, including its built-in tools and related services.

Below you'll find the full program rules and instructions on how to report a vulnerability.
2. General Information: Program Scope
2.1. In Scope
This program covers vulnerabilities in services, tools, and web applications owned by Tilda.
Security testing is allowed provided that it is conducted:
  • Using only your own Tilda accounts.
  • Within the functionality available under the relevant pricing plan.
  • Without disrupting production systems.
To test advanced functionality, you may use an account with an active 14-day Personal Plan trial.
2.2. Out of Scope
User-owned websites, as well as vulnerabilities in third-party services and integrations—such as payment providers, delivery services, data collection services, etc.—are out of scope, even if they are connected to Tilda.
An exception may apply when the vulnerability is on Tilda's side — for example, incorrect data transfer, leakage of sensitive information in requests, flaws in the integration logic, etc.
The following report categories are also out of scope:
  • Self-XSS and any XSS in the editor.
  • DoS/DDoS attacks.
  • Brute-force attacks without evidence of bypassing protection mechanisms.
  • CSV Injection.
  • Password policy weaknesses without the ability to bypass authentication.
  • CSRF affecting low-impact actions, such as logout.
  • Clickjacking without a demonstrated security impact.
  • Missing security controls or headers without proven practical impact.
  • SSL/TLS misconfigurations.
  • Automated scanner results without a reproducible Proof of Concept.
  • Disclosure of non-sensitive information, such as software version numbers.
  • Vulnerabilities based solely on the use of outdated software versions.
  • Social engineering.
  • Reports that do not demonstrate real security impact.
3. Priority Vulnerability Categories
We give the highest priority to vulnerabilities that affect the confidentiality, integrity, or availability of data, including:
  • Server-Side Code Execution.
  • SQL Injection.
  • Authentication/Authorization Bypass.
  • Broken Access Control.
  • Server-Side Request Forgery targeting internal services.
  • Cross-Site Scripting with impact on other users.
  • Cross-Site Request Forgery affecting sensitive actions.
  • Unrestricted File Upload.
  • Sensitive information disclosure.
  • Critical business logic flaws that lead to unauthorized access or privilege escalation.
4. Program Rules & Restrictions
Under this program, you must not:
  • Perform actions that may disrupt the platform or negatively affect platform users or other third parties.
  • Gain unauthorized access to user accounts.
  • Perform mass automated exploitation.
  • Use social engineering.
  • Go beyond the minimum level of exploitation required to confirm the vulnerability.
  • Publish a Proof of Concept before the vulnerability has been fixed and you have received permission from the Tilda security team.
  • Publicly disclose vulnerability details without prior approval from Tilda.
  • Disclose any personal data obtained during your research.
5. How to Submit a Vulnerability Report
If you have found a vulnerability, email us at: bugbounty@tilda.cc
Email subject line:
Bug Bounty Report – [Brief vulnerability description]
Your report should include:
  • The affected service or tool.
  • The vulnerability type.
  • A description of the potential impact.
  • Step-by-step reproduction instructions.
  • A Proof of Concept, if applicable.
  • Remediation recommendations, if available.
Reports without reproducible steps may be rejected.
The average initial response time is 1 business day.
6. Vulnerability Classification & Rewards
Vulnerability classification and severity are determined based on the Bugcrowd Vulnerability Rating Taxonomy (VRT).
The final assessment also takes into account:
  • The actual impact on data confidentiality, integrity, and availability.
  • The realistic exploitation scenario.
  • The complexity and reproducibility of the attack.
  • The scale of potential impact.
  • The presence of mitigating factors or limitations.
Rewards are based on the assigned classification and range from $25 to $3000, in line with payouts on leading Bug Bounty platforms such as HackerOne and Bugcrowd.
Rewards are paid only for the first correct and valid report for a specific vulnerability.
The final decision on vulnerability classification and reward amount is made by the Tilda security team based on the established criteria.
7. Contact Information
Vulnerability reports:
bugbounty@tilda.cc
General inquiries:
team@tilda.cc
Terms of Service
Made on
Tilda