[{"id":3767666,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### In scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Enterprise Feature Testing\n\nPlease see [this guide](https://docs.google.com/document/d/1Sov_CqRX6FS-UbjOmMI2C2qwk5HBKFOP_gLDWvQDRVY/edit) for directions on how to request an enterprise account for testing.\n\n**Enterprise Scope**\n* All content found under https://staging.airtable.com/admin\n  * User management\n  * Service accounts\n  * User groups\n  * Workspace management\n  * Base management\n  * Interface management\n  * Data sets\n  * Report generation\n* All content gated by enterprise admin controls (see the Settings panel in the enterprise admin portal)\n\nAll Enterprise documentation can be found here: https://support.airtable.com/docs/airtable-enterprise-support\n\n\n### Out of scope\n\nWe generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.\n\nIf a report is a duplicate, we won't award a bounty or reputation. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nA specific vulnerable behavior found in one part of Airtable is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Airtable, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the Airtable product, that should probably be one report, not five.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* [community.airtable.com](https://community.airtable.com/)\n\n* API keys disclosed by Airtable users on Github or elsewhere on the web are not in scope. It is up to users to safeguard their own API keys, and we are working with Github to notify users when they commit API keys.\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Changing the `Host` header to cause redirects\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-12-19T22:11:09.095Z"},{"id":3710102,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### In scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Enterprise Feature Testing\n\nPlease see [this guide](https://docs.google.com/document/d/1Sov_CqRX6FS-UbjOmMI2C2qwk5HBKFOP_gLDWvQDRVY/edit) for directions on how to request an enterprise account for testing.\n\n**Enterprise Scope**\n* All content found under https://staging.airtable.com/admin\n  * User management\n  * Service accounts\n  * User groups\n  * Workspace management\n  * Base management\n  * Interface management\n  * Data sets\n  * Report generation\n* All content gated by enterprise admin controls (see the Settings panel in the enterprise admin portal)\n\nAll Enterprise documentation can be found here: https://support.airtable.com/docs/airtable-enterprise-support\n\n\n### Out of scope\n\nWe generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.\n\nIf a report is a duplicate, we won't award a bounty or reputation. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nA specific vulnerable behavior found in one part of Airtable is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Airtable, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the Airtable product, that should probably be one report, not five.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* [community.airtable.com](https://community.airtable.com/)\n* **File uploads are out of scope.**\n* API keys disclosed by Airtable users on Github or elsewhere on the web are not in scope. It is up to users to safeguard their own API keys, and we are working with Github to notify users when they commit API keys.\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Changing the `Host` header to cause redirects\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-02T19:41:26.222Z"},{"id":3656352,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### In scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Out of scope\n\nWe generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.\n\nIf a report is a duplicate, we won't award a bounty or reputation. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nA specific vulnerable behavior found in one part of Airtable is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Airtable, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the Airtable product, that should probably be one report, not five.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* [community.airtable.com](https://community.airtable.com/)\n* **File uploads are out of scope.**\n* API keys disclosed by Airtable users on Github or elsewhere on the web are not in scope. It is up to users to safeguard their own API keys, and we are working with Github to notify users when they commit API keys.\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Changing the `Host` header to cause redirects\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-06T23:50:45.102Z"},{"id":3651218,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### In scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Out of scope\n\nWe generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.\n\nIf a report is a duplicate, we won't award a bounty or reputation. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nA specific vulnerable behavior found in one part of Airtable is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Airtable, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the Airtable product, that should probably be one report, not five.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* [community.airtable.com](https://community.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Changing the `Host` header to cause redirects\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-16T16:41:30.597Z"},{"id":3650738,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### In scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Out of scope\n\nWe generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.\n\nIf a report is a duplicate, we won't award a bounty or reputation. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nA specific vulnerable behavior found in one part of Airtable is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Airtable, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the Airtable product, that should probably be one report, not five.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* [community.airtable.com](https://community.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Changing the `Host` header to cause redirects\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nDependency confusion/supply chain attacks are temporarily out of scope, while we investigate open issues.\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-02T20:32:32.735Z"},{"id":3630344,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### In scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Out of scope\n\nWe generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.\n\nIf a report is a duplicate, we won't award a bounty or reputation. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nA specific vulnerable behavior found in one part of Airtable is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Airtable, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the Airtable product, that should probably be one report, not five.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* [community.airtable.com](https://community.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Changing the `Host` header to cause redirects\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-11T19:27:28.154Z"},{"id":3618572,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### In scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Out of scope\n\nWe generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.\n\nIf a report is a duplicate, we won't award a bounty. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nA specific vulnerable behavior found in one part of Airtable is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Airtable, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the Airtable product, that should probably be one report, not five.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* [community.airtable.com](https://community.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Changing the `Host` header to cause redirects\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-09T17:48:55.607Z"},{"id":3608317,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### In scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Out of scope\n\nWe generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.\n\nIf a report is a duplicate, we won't award a bounty. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nA specific vulnerable behavior found in one part of Airtable is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Airtable, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the Airtable product, that should probably be one report, not five.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Changing the `Host` header to cause redirects\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-26T20:41:44.425Z"},{"id":3598931,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### In scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Out of scope\n\nWe generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.\n\nIf a report is a duplicate, we won't award a bounty. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nA specific vulnerable behavior found in one part of Airtable is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Airtable, though we'll assess this on a case-by-case basis. If the same vulnerability affects multiple parts of the product, please let us know in a single report—we'll take that into consideration when assessing severity (such a vulnerability might be eligible for a higher reward), and when marking reports as resolved. For example, if we fail to sanitize URLs in five parts of the Airtable product, that should probably be one report, not five.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-21T17:49:31.400Z"},{"id":3593937,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### In scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Out of scope\n\nIf a report is a duplicate, we won't award a bounty. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nWe generally do not accept reports that are simply the output from an automated security scanner (even lightly annotated). Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-07T17:49:38.437Z"},{"id":3593363,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-01T23:29:26.825Z"},{"id":3591290,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n* **Reports related to rate limiting. We've temporarily and intentionally disabled certain types of throttling on our staging environment.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-10-12T03:56:19.124Z"},{"id":3588424,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty. A report is a duplicate if we have another HackerOne report for the issue or if our other security review processes have already identified the issue.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-11T14:31:01.381Z"},{"id":3588419,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n* **File uploads are temporarily out of scope. We've received a high volume of reports about file uploads and want to make sure we properly address all of them.**\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-11T14:18:25.255Z"},{"id":3588173,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those but we encourage you to report issues to both us and to them.\n\nIf the vulnerability might reasonably affect our users, we'll likely grant a bounty. The bounty amount will be determined on a case-by-case basis due to possible difficulties assessing the true severity of the issue. As such, vulnerabilities in third-party services are *not* eligible for the default bounty amounts listed in the \"Areas in scope\" section above, and the bounty amount will be determined on a case-by-case basis.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-07T20:03:48.147Z"},{"id":3585775,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are **always out of scope**:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n\n**Attacks that are beyond Airtable's control are generally out of scope.** These include:\n\n* Man-in-the-middle (MITM) attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Attacks requiring access to a user's device (such as physical access or remote access)\n* Attacks requiring the user's credentials\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n\n**We also ask for an exploit or proof of concept** for reports. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty. For example, here are some areas we generally consider to be out of scope:\n\n* Arbitrary file upload (which is a core Airtable feature)\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in third-party code or services that do not lead to an exploit\n* Generic information disclosure, such as the `Server` or `X-Powered-By` headers\n* Missing HTTP security headers, such as:\n  * Content-Security-Policy\n  * Feature-Policy\n  * HTTP Strict Transport Security\n  * HTTP Public Key Pinning\n  * X-Content-Type-Options\n  * X-XSS-Protection\n  * Referrer Policy\n  * P3P\n  * Certificate Transparency (Expect-CT)\n  * X-Download-Options\n  * X-DNS-Prefetch-Control\n\nWe also consider the following areas to be out of scope, though there may be some exceptions:\n\n* Social engineering (phishing) of Airtable staff or users\n* Username or email enumeration\n* Denials of service scoped to a single user or workspace\n* Invitation abuses (to accumulate credits or send spam)\n* API key disclosure for third-party services\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Session cookie duration\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those and encourage you to report those to both us and to them. If the vulnerability affects our users, we'll likely pay something.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-15T15:17:34.899Z"},{"id":3584786,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are always out of scope:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n* [guide.airtable.com](https://guide.airtable.com/)\n\nWe generally consider the following areas to be out of scope, though there may be some exceptions:\n\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in outdated versions that do not lead to an exploit\n* Attacks requiring physical access to a user's device or root access to a user's device\n* Attacks requiring the user's credentials\n* MITM attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Username or email enumeration\n* Social engineering of Airtable staff or users\n* Denials of service scoped to a single user or workspace\n* API key disclosure for third-party services\n* Arbitrary file upload (which is a core Airtable feature)\n* HTTP headers\n\t* Missing HTTP security headers, such as:\n\t\t* Content-Security-Policy\n\t\t* Feature-Policy\n\t\t* HTTP Strict Transport Security\n\t\t* HTTP Public Key Pinning\n\t\t* X-Content-Type-Options\n\t\t* X-XSS-Protection\n\t\t* Referrer Policy\n\t\t* P3P\n\t\t* Certificate Transparency (Expect-CT)\n\t\t* X-Download-Options\n\t\t* X-DNS-Prefetch-Control\n\t* Informational headers that are out of scope to report, such as:\n\t\t* Server\n\t\t* X-Powered-By\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Invitation abuses (to accumulate credits or send spam)\n* Session cookie duration\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those and encourage you to report those to both us and to them. If the vulnerability affects our users, we'll likely pay something.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-05T22:19:57.435Z"},{"id":3584660,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\nSee below for more on third-party vulnerabilities.\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are always out of scope:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n\nWe generally consider the following areas to be out of scope, though there may be some exceptions:\n\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in outdated versions that do not lead to an exploit\n* Attacks requiring physical access to a user's device or root access to a user's device\n* Attacks requiring the user's credentials\n* MITM attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Username or email enumeration\n* Social engineering of Airtable staff or users\n* Denials of service scoped to a single user or workspace\n* API key disclosure for third-party services\n* Arbitrary file upload (which is a core Airtable feature)\n* HTTP headers\n\t* Missing HTTP security headers, such as:\n\t\t* Content-Security-Policy\n\t\t* Feature-Policy\n\t\t* HTTP Strict Transport Security\n\t\t* HTTP Public Key Pinning\n\t\t* X-Content-Type-Options\n\t\t* X-XSS-Protection\n\t\t* Referrer Policy\n\t\t* P3P\n\t\t* Certificate Transparency (Expect-CT)\n\t\t* X-Download-Options\n\t\t* X-DNS-Prefetch-Control\n\t* Informational headers that are out of scope to report, such as:\n\t\t* Server\n\t\t* X-Powered-By\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Invitation abuses (to accumulate credits or send spam)\n* Session cookie duration\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those and encourage you to report those to both us and to them. If the vulnerability affects our users, we'll likely pay something.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-03T14:38:32.876Z"},{"id":3584445,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000 \n* File system access: $10,000 \n(see below about third party issues)\n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are always out of scope:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n\nWe generally consider the following areas to be out of scope, though there may be some exceptions:\n\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in outdated versions that do not lead to an exploit\n* Attacks requiring physical access to a user's device or root access to a user's device\n* Attacks requiring the user's credentials\n* MITM attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Username or email enumeration\n* Social engineering of Airtable staff or users\n* Denials of service scoped to a single user or workspace\n* API key disclosure for third-party services\n* Arbitrary file upload (which is a core Airtable feature)\n* HTTP headers\n\t* Missing HTTP security headers, such as:\n\t\t* Content-Security-Policy\n\t\t* Feature-Policy\n\t\t* HTTP Strict Transport Security\n\t\t* HTTP Public Key Pinning\n\t\t* X-Content-Type-Options\n\t\t* X-XSS-Protection\n\t\t* Referrer Policy\n\t\t* P3P\n\t\t* Certificate Transparency (Expect-CT)\n\t\t* X-Download-Options\n\t\t* X-DNS-Prefetch-Control\n\t* Informational headers that are out of scope to report, such as:\n\t\t* Server\n\t\t* X-Powered-By\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Invitation abuses (to accumulate credits or send spam)\n* Session cookie duration\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Third party issues\n\nAirtable uses several third party services. If they have vulnerabilities, we'd like to know. We can't guarantee bounty for those and encourage you to report those to both us and to them. If the vulnerability affects our users, we'll likely pay something.\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-03T00:03:03.991Z"},{"id":3584338,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000\n* File system access: $10,000\n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are always out of scope:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n\nWe generally consider the following areas to be out of scope, though there may be some exceptions:\n\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in outdated versions that do not lead to an exploit\n* Attacks requiring physical access to a user's device or root access to a user's device\n* Attacks requiring the user's credentials\n* MITM attacks outside of Airtable's control (for example, modifying traffic by controlling a wireless router)\n* Username or email enumeration\n* Social engineering of Airtable staff or users\n* Denials of service scoped to a single user or workspace\n* API key disclosure for third-party services\n* Arbitrary file upload (which is a core Airtable feature)\n* HTTP headers\n\t* Missing HTTP security headers, such as:\n\t\t* Content-Security-Policy\n\t\t* Feature-Policy\n\t\t* HTTP Strict Transport Security\n\t\t* HTTP Public Key Pinning\n\t\t* X-Content-Type-Options\n\t\t* X-XSS-Protection\n\t\t* Referrer Policy\n\t\t* P3P\n\t\t* Certificate Transparency (Expect-CT)\n\t\t* X-Download-Options\n\t\t* X-DNS-Prefetch-Control\n\t* Informational headers that are out of scope to report, such as:\n\t\t* Server\n\t\t* X-Powered-By\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Invitation abuses (to accumulate credits or send spam)\n* Session cookie duration\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-01T19:26:04.049Z"},{"id":3584247,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000\n* File system access: $10,000\n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are always out of scope:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n\nWe generally consider the following areas to be out of scope, though there may be some exceptions:\n\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in outdated versions that do not lead to an exploit\n* Attacks requiring physical access to a user's device or root access to a user's device\n* Attacks requiring the user's credentials\n* Username or email enumeration\n* Social engineering of Airtable staff or users\n* Denials of service scoped to a single user or workspace\n* API key disclosure for third-party services\n* Arbitrary file upload (which is a core Airtable feature)\n* HTTP headers\n\t* Missing HTTP security headers, such as:\n\t\t* Content-Security-Policy\n\t\t* Feature-Policy\n\t\t* HTTP Strict Transport Security\n\t\t* HTTP Public Key Pinning\n\t\t* X-Content-Type-Options\n\t\t* X-XSS-Protection\n\t\t* Referrer Policy\n\t\t* P3P\n\t\t* Certificate Transparency (Expect-CT)\n\t\t* X-Download-Options\n\t\t* X-DNS-Prefetch-Control\n\t* Informational headers that are out of scope to report, such as:\n\t\t* Server\n\t\t* X-Powered-By\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Invitation abuses (to accumulate credits or send spam)\n* Session cookie duration\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-31T17:43:30.408Z"},{"id":3584246,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000\n* File system access: $10,000\n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are always out of scope:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n\nWe generally consider the following areas to be out of scope, though there may be some exceptions:\n\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in outdated versions that do not lead to an exploit\n* Attacks requiring physical access to a user's device or root access to a user's device\n* Attacks requiring the user's credentials\n* Username or email enumeration\n* Social engineering of Airtable staff or users\n* Denials of service scoped to a single user or workspace\n* API key disclosure for third-party services\n* HTTP headers\n\t* Missing HTTP security headers, such as:\n\t\t* Content-Security-Policy\n\t\t* Feature-Policy\n\t\t* HTTP Strict Transport Security\n\t\t* HTTP Public Key Pinning\n\t\t* X-Content-Type-Options\n\t\t* X-XSS-Protection\n\t\t* Referrer Policy\n\t\t* P3P\n\t\t* Certificate Transparency (Expect-CT)\n\t\t* X-Download-Options\n\t\t* X-DNS-Prefetch-Control\n\t* Informational headers that are out of scope to report, such as:\n\t\t* Server\n\t\t* X-Powered-By\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Invitation abuses (to accumulate credits or send spam)\n* Session cookie duration\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-31T17:43:03.696Z"},{"id":3584231,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000\n* File system access: $10,000\n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are always out of scope:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n\nWe generally consider the following areas to be out of scope, though there may be some exceptions:\n\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in outdated versions\n* Attacks requiring physical access to a user's device or root access to a user's device\n* Attacks requiring the user's credentials\n* Username or email enumeration\n* Social engineering of Airtable staff or users\n* Denials of service scoped to a single user or workspace\n* API key disclosure for third-party services\n* HTTP headers\n\t* Missing HTTP security headers, such as:\n\t\t* Content-Security-Policy\n\t\t* Feature-Policy\n\t\t* HTTP Strict Transport Security\n\t\t* HTTP Public Key Pinning\n\t\t* X-Content-Type-Options\n\t\t* X-XSS-Protection\n\t\t* Referrer Policy\n\t\t* P3P\n\t\t* Certificate Transparency (Expect-CT)\n\t\t* X-Download-Options\n\t\t* X-DNS-Prefetch-Control\n\t* Informational headers that are out of scope to report, such as:\n\t\t* Server\n\t\t* X-Powered-By\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Invitation abuses (to accumulate credits or send spam)\n* Session cookie duration\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Issues related to password policies\n* Disclosure of non-sensitive internal IDs (such as user IDs)\n* Exploits requiring users to modify code running on their own device (opening up browser developer tools and running commands, for example)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-31T15:22:17.017Z"},{"id":3584158,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at airtable.com or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000\n* File system access: $10,000\n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are always out of scope:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](https://blog.airtable.com/)\n* [support.airtable.com](https://support.airtable.com/)\n\nWe generally consider the following areas to be out of scope, though there may be some exceptions:\n\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in outdated versions\n* Attacks requiring physical access to a user's device or root access to a user's device\n* Attacks requiring the user's credentials\n* Username or email enumeration\n* Social engineering of Airtable staff or users\n* Denials of service scoped to a single user or workspace\n* API key disclosure for third-party services\n* HTTP headers\n\t* Missing HTTP security headers, such as:\n\t\t* Content-Security-Policy\n\t\t* Feature-Policy\n\t\t* HTTP Strict Transport Security\n\t\t* HTTP Public Key Pinning\n\t\t* X-Content-Type-Options\n\t\t* X-XSS-Protection\n\t\t* Referrer Policy\n\t\t* P3P\n\t\t* Certificate Transparency (Expect-CT)\n\t\t* X-Download-Options\n\t\t* X-DNS-Prefetch-Control\n\t* Informational headers that are out of scope to report, such as:\n\t\t* Server\n\t\t* X-Powered-By\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Invitation abuses (to accumulate credits or send spam)\n* Session cookie duration\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Issues related to password policies\n* Disclosure of internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-30T20:18:53.738Z"},{"id":3584157,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at [airtable.com](http://airtable.com/) or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000\n* File system access: $10,000\n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are always out of scope:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](http://blog.airtable.com/)\n* [support.airtable.com](http://support.airtable.com/)\n\nWe generally consider the following areas to be out of scope, though there may be some exceptions:\n\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in outdated versions\n* Attacks requiring physical access to a user's device or root access to a user's device\n* Attacks requiring the user's credentials\n* Username or email enumeration\n* Social engineering of Airtable staff or users\n* Denials of service scoped to a single user or workspace\n* API key disclosure for third-party services\n* HTTP headers\n\t* Missing HTTP security headers, such as:\n\t\t* Content-Security-Policy\n\t\t* Feature-Policy\n\t\t* HTTP Strict Transport Security\n\t\t* HTTP Public Key Pinning\n\t\t* X-Content-Type-Options\n\t\t* X-XSS-Protection\n\t\t* Referrer Policy\n\t\t* P3P\n\t\t* Certificate Transparency (Expect-CT)\n\t\t* X-Download-Options\n\t\t* X-DNS-Prefetch-Control\n\t* Informational headers that are out of scope to report, such as:\n\t\t* Server\n\t\t* X-Powered-By\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Invitation abuses (to accumulate credits or send spam)\n* Session cookie duration\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Issues related to password policies\n* Disclosure of internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-30T20:18:03.089Z"},{"id":3584149,"new_policy":"Airtable considers privacy and security to be core functions of our platform. Earning and keeping the trust of our users is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.\n\nPlease let us know about it and we'll make every effort to quickly correct the issue.\n\n## Vulnerabilities\n\n**Only perform testing against our web staging environment at staging.airtable.com.** Do not perform any testing against our production site at [airtable.com](http://airtable.com/) or our downloadable apps.\n\n### Areas in scope\n\nWe typically use [the CVSS calculator](https://www.first.org/cvss/calculator/3.0) to determine severity. We reward bounties based on severity.\n\nThe following areas are generally considered of Critical severity:\n\n* Stored cross-site scripting (XSS) vulnerability: $5000\n* Remote code execution: $10,000\n* File system access: $10,000\n\nThe following areas are generally considered to be High severity:\n\n* Privilege escalation (for example, seeing something that should be locked or editing something that shouldn't be editable) or authentication issues\n* Cross-Site Request Forgery (CSRF) on user data\n* Sensitive data sent unencrypted (for example, with HTTP and not HTTPS)\n\nThe following areas are generally considered to be Medium severity:\n\n* Vulnerabilities when uploading CSVs\n* Insecure TLS configuration when a fix would be backwards-compatible\n* Lack of `secure` or HTTP-only flags on sensitive cookies\n\nThe following areas are generally considered to be Low severity:\n\n* Self-XSS (XSS), a user performing XSS on themselves only\n* Leaking the `Referer` header when leaving Airtable, disclosing sensitive information\n* On a case-by-case basis, issues with publicly-available malicious browser extensions that capture user data\n* On a case-by-case basis, exploits for legacy browsers (any version of Internet Explorer or any version of Chrome/Firefox/Safari/Chromium/Opera/Edge that is not the latest)\n\n### Areas out of scope\n\nIf a report is a duplicate, we won't award a bounty.\n\nThe following areas are always out of scope:\n\n* Production airtable.com\n* Our desktop apps\n* Our mobile apps\n* [blog.airtable.com](http://blog.airtable.com/)\n* [support.airtable.com](http://support.airtable.com/)\n\nWe generally consider the following areas to be out of scope, though there may be some exceptions:\n\n* Mis-adherence to best practices that does not lead to an exploit\n* Vulnerabilities in outdated versions\n* Attacks requiring physical access to a user's device or root access to a user's device\n* Attacks requiring the user's credentials\n* Username or email enumeration\n* Social engineering of Airtable staff or users\n* Denials of service scoped to a single user or workspace\n* API key disclosure for third-party services\n* HTTP headers\n\t* Missing HTTP security headers, such as:\n\t\t* Content-Security-Policy\n\t\t* Feature-Policy\n\t\t* HTTP Strict Transport Security\n\t\t* HTTP Public Key Pinning\n\t\t* X-Content-Type-Options\n\t\t* X-XSS-Protection\n\t\t* Referrer Policy\n\t\t* P3P\n\t\t* Certificate Transparency (Expect-CT)\n\t\t* X-Download-Options\n\t\t* X-DNS-Prefetch-Control\n\t* Informational headers that are out of scope to report, such as:\n\t\t* Server\n\t\t* X-Powered-By\n* Missing subresource integrity\n* Email security: DMARC, DKIM, SPF\n* DNSSEC\n* Invitation abuses (to accumulate credits)\n* Session cookie duration\n* Exported CSV files that can execute commands in Excel, Numbers, Google Sheets, or other CSV programs\n* Issues related to password policies\n* Disclosure of internal IDs (such as user IDs)\n* Two-factor authentication (2FA) bypass with third-party sign-ins like Google\n\nIf you're not sure whether an issue is in scope, we'd appreciate it if you file a report anyway!\n\n## Disclosure guidelines\n\nDo not disclose any issues to the public or to any third party without Airtable's permission. If you have questions, please ask us!\n\n## Thanks\n\nWe believe in recognizing the work of others. If your work helps us improve the security of our service, we'd be happy to [acknowledge your contribution](/airtable/thanks).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-30T18:54:13.850Z"}]