The following issues are outside the scope of our Vulnerability Disclosure program::
- *.tealium.com
- CSV Injections.
- Denial of Service or brute force attacks unless they expose confidential data.
-
- Performing actions that may negatively affect Tealium or its users (e.g. spam, brute force, denial of service, etc)
- Executing brute force attempts to enumerate users beyond a proof of concept.
- Any kind of DDoS attacks.
- Any kind of rate limit, service limit, timing abuse or DoS, DDoS attacks unless the attack expose an abuse of functionality, data exfiltration or other similar abuse beyond service unavailability.
- Spamming forms through automated vulnerability are explicitly out of scope
- Performing actions that may negatively affect Tealium or its users (e.g. spam, brute force, denial of service…)
- Publically released bugs in internet software.
- Spam or social engineering techniques conducted on any Tealium employee, vendor or contractor including:
-
- SPF and DKIM issues
- Content injection
- Hyperlink injection in emails
- IDN homograph attacks
- RTL Ambiguity
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
- Conduct vulnerability testing of participating services using anything other than test accounts (e.g. Developer or Trial Edition instances).
- Violating any laws or breaching any agreements to discover vulnerabilities.
- Accessing, or attempting to access, data or information that does not belong to you.
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Conducting any kind of physical or electronic attack on Tealium personnel, property, data centers, corporate offices, employee personal assets or any other physical assessment of Tealium or it’s employees security.
- Our policies on presence/absence of SPF/DMARC records.
- Password, email and account policies, such as email id verification, reset link expiration, password complexity or password policy.
- Lack of CSRF tokens (unless there is evidence of actual, sensitive user action not protected by a token).
- Login/logout CSRF.
- Attacks requiring physical access to a user’s device or vulnerabilities requiring physical access to the victim’s unlocked device.
- Missing security headers which do not lead directly to a vulnerability.
- Missing best practices (we require evidence of a security vulnerability).
- Hosting malware/arbitrary content on Tealium and causing downloads.
- Self-XSS (we require evidence on how the XSS can be used to attack another Tealium user or compromise the security controls of the system).
- XSS on any site other than tealiumiq.com
- Self-XSS (to be valid, cross-site scripting issues must be exploitable in reflected, stored or persistant DOM-based types).
- Host header injections unless you can show how they can lead to stealing user data.
- Use of a known-vulnerable library (without evidence of exploitability).
- Issues relating to buggy non-Tealium client software.
- Reports of spam (i.e., any report involving ability to send emails without rate limits).
- Attacks that require attacker app to have the permission to overlay on top of our app (e.g., tapjacking).
- Social engineering of Tealium employees, vendors, contractors, account management or service desk.
- Any physical attempts against Tealium property or data centers.
- Presence of autocomplete attribute on web forms.
- Missing cookie flags on non-sensitive cookies.
- Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept exploit and not just a report from a scanner).
- Any access to data where the targeted user needs to be operating a rooted mobile device.
- Any report on bypassing our storage limits or absence of rate limiting, unless related to authentication.
- Any report about DLL hijacking without demonstrating how it gains new privileges.
- Any report about how Tealium can be used to serve malware unless this can be done by privilege escalation or violating permission boundaries.
- Content spoofing vulnerabilities (where you can only inject text or an image into a page) are out of scope. We will accept and resolve a spoofing vulnerability where an attacker can inject image or rich text (HTML). Pure text injection is out of scope.
- Ability to share links without verifying email.
- Reflected file download vulnerabilities or any vulnerabilities that let you start a download to the user’s computer are out of scope.
- IP/Port scanning of Tealium Services unless you are able to hit private IPs or Tealium servers; open ports are not a vulnerability unless you can demonstrate a valid attack vector.
- Devices (iOS, android, desktop apps) not getting unlinked on password change.
- Hyperlink injection or any link injection in emails we send.
- Creating multiple accounts using the same email or other duplication unless it demonstrates a failure of security controls.
- Phishing risk via unicode/punycode or RTLO issues.
- Being able to upload files with wrong extension.
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Conducting any kind of physical or electronic attack on Tealium personnel, property or data centers.
- Conduct vulnerability testing of participating services using anything other than test accounts (e.g. Developer or Trial Edition instances).
- Violating any laws or breaching any agreements in order to discover vulnerabilities.
Notes on SSRF Submissions
Before submitting an SSRF report, please ensure that the response you’re receiving is neither:
- reset
- HTTP/1.1 403 Forbidden
Either of these responses usually indicates that your request was blocked by our filters and is not a valid SSRF.
Notes on WAN Accessible Resources
Tealium realizes that some services that host Customer Data are WAN reachable and do not have IP whitelists. This is by design and is not considered a vulnerability in and of itself. If you discover a vulnerability in the Services please submit a report.