Introduction
Tiqets is an innovative ticketing platform with a mission to make culture more accessible. We achieve this by providing instant ticket delivery, mobile entry to venues, 24/7 customer support, and content in over 10 languages.
We work diligently to maintain the security of our systems and applications. Despite our best efforts, vulnerabilities may still exist.
While we do not offer a bounty program, we highly value the contributions of the security community in identifying these issues to help keep our systems and applications secure.
If you’ve found a security vulnerability
If you discover a vulnerability in one of our systems or applications, please contact us promptly so we can address it as quickly as possible.
Our Commitment
- If you follow the instructions below, we will not take any legal action against you regarding your report.
- We will handle your report with strict confidentiality and will not share your personal details with third parties without your permission.
- We will do our best to keep you informed throughout the process of resolving the issue.
- We strive to resolve problems as quickly as possible.
What to Do
- E-mail your findings to responsible-disclosure@tiqets.com.
- Provide your name, email address, and/or telephone number.
- Reporting under a pseudonym is allowed, but please ensure we can contact you for additional questions.
- Provide sufficient information to reproduce the problem so our security team can resolve it quickly. Usually, the IP address or URL of the affected system and a description of the vulnerability will suffice. Complex vulnerabilities may require further explanation.
- Erase all data obtained through the vulnerability once it is reported to our security team.
- Review our guidelines below.
Guidelines
- Do not disclose the problem to others until it has been resolved.
- Do not exploit the vulnerability by unnecessarily copying, deleting, adapting, or viewing data, or by downloading more data than needed to demonstrate the vulnerability.
- Do not generate many unpaid orders.
- Do not generate a flood of errors in our monitoring by excessively using automated scanning tools.
- Do do not contact our customer support agents or any other Tiqets employee other than the security team through responsible-disclosure@tiqets.com.
- If you manage to book a ticket for free, do not book any additional tickets.
- If you bypass our security systems, do not make any changes.
- We do not reply to bounty requests without disclosing the issue; such reports will not be processed.
If you wish to publish information about a vulnerability you have found, please notify us at least one month before publication to give us the opportunity to respond. Identifying Tiqets in a publication is only permitted with our explicit approval.
Scope
This disclosure policy applies to externally accessible systems and services under the tiqets.com domain, including subdomains, but excluding third-party SaaS services.
Out of scope services
- Any service that results in interaction with our customer support agents.
- Other third party SAAS services that are used by Tiqets.
Non-Qualifying Bugs
- Automated scan reports
- Open HTTP redirections
- Missing HTTP security headers and cookie flags on insensitive cookies
- Rate-limit deficiencies or brute-force attacks
- DoS or DDoS attacks
- Social engineering, Phishing or spam attacks (including SPF/DKIM/DMARC-related issues)
- Vulnerabilities found in third-party services
- Issues requiring direct physical access to the victim’s machine or device
- Placing malware (virus, worm, Trojan horse, etc.).
- Use of automated scanners without requesting explicit permission.
Given the high volume of duplicate reports, we may not always respond to issues that are already being addressed or are in our backlog. We also do not respond to reports involving non-qualifying bugs or automated scanner results.