[{"id":3769207,"new_policy":"#We ask that you adhere to the following guidelines:\n\n**Please use the following paths for new account signup \u0026 login!** If you are using your HackerOne email alias or the `X-HackerOne-Research: [H1 username]` as outlined in the \"Test Plan\" \u0026 \"Session Layer\" sections of the program guidelines below, you will be redirected to the listed paths.\nhttps://login.tines.com/research/signup\nhttps://login.tines.com/research/login\n\nYou may also use the attached Burp Suite project setting config (F5313538), or add the provided ZAP replace config at the end of your \"replacer\" element within the XML config (F5313534) which can be found in ZAP (Help \u003e Support Info... \u003e Scroll to the bottom and find \"ZAP Home Directory\" \u003e In the ZAP home directory open `config.xml` \u003e search for \"replacer\" \u003e add the rule at the end of the element). In either scenario, please modify the `[H1 username]` placeholder value to match your specific username.\n\n*Do not disclose the vulnerability outside of the VDP\n*Do not violate any laws\n*Do not disrupt services (DoS/DDoS)\n*Do not access, modify, or destroy any accounts or data that do not belong to you\n\nTines has extensive documentation of our features \u0026 API's, and their intended uses, available on our marketing site.\nhttps://www.tines.com/docs/quickstart/\nhttps://www.tines.com/api/welcome/\n\nWhen submitting reports on potential vulnerabilities, please consider the real-world implications of the potential vulnerability and if the report indicates a real-world impact, such as privilege escalation, sensitive information disclosure, or the ability to affect resources not owned by the tenant/team they are associated with. This includes recognizing that the Tines Intelligent Workflow platform is designed to allow Tenant Owners full control over resources within their specific tenant.\n\nRegarding the Tines run-script feature, before submitting a potential vulnerability report, please assess if the team/tenant isolation is able to be compromised or escaped from. For more information on the run-script feature please see our extensive documentation.\nhttps://www.tines.com/docs/actions/tools/run-script/\nhttps://www.tines.com/blog/python-tines-how-to-guide/\n\nYou can find more information regarding security at Tines here:\nhttps://www.tines.com/security/\n\n#Out of Scope  \n\n* HTTPS / TLS security headers suggestions\n* Direct testing of 3rd parties\n* SPF / DMARC / DKIM / DNSSEC suggestions\n* Banner/version disclosure\n* Social engineering / phishing / spam\n\n# Program Rules\n* Please see the Test Plan below for information on account creation.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for a free account through our website\n* All researchers are **required to use their hacker email alias  or the `X-HackerOne-Research` header** when testing (h1username@wearehackerone.com)\n* Researchers using `@gmail.com` or any other domain other than their hacker email alias, without also using the provided headers, are subject to Tines account deletion and possible program exclusion\n\n## Session Layer: HTTP Headers\nResearchers **must add headers to requests if not using the `@wearehackerone.com` email alias**, such as: \n* “X-HackerOne-Research: [H1 username]”\n\nThank you for helping keep Tines and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Tines looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-03T21:11:25.416Z"},{"id":3769206,"new_policy":"#We ask that you adhere to the following guidelines:\n\n**Please use the following paths for new account signup \u0026 login!** If you are using your HackerOne email alias or the `X-HackerOne-Research: [H1 username]` as outlined in the \"Test Plan\" \u0026 \"Session Layer\" sections of the program guidelines below, you will be redirected to the listed paths.\nhttps://login.tines.com/research/signup\nhttps://login.tines.com/research/login\n\nYou may also use the attached Burp Suite project setting config (F5313538), or add the provided ZAP replace config at the end of your \"replacer\" element within the XML config (F5313534) which can be found in ZAP (Help \u003e Support Info... \u003e Scroll to the bottom and find \"ZAP Home Directory\" \u003e In the ZAP home directory open `config.xml\" \u003e search for \"replacer\" \u003e add the rule at the end of the element). In either scenario, please modify the `[H1 username]` placeholder value to match your specific username.\n\n*Do not disclose the vulnerability outside of the VDP\n*Do not violate any laws\n*Do not disrupt services (DoS/DDoS)\n*Do not access, modify, or destroy any accounts or data that do not belong to you\n\nTines has extensive documentation of our features \u0026 API's, and their intended uses, available on our marketing site.\nhttps://www.tines.com/docs/quickstart/\nhttps://www.tines.com/api/welcome/\n\nWhen submitting reports on potential vulnerabilities, please consider the real-world implications of the potential vulnerability and if the report indicates a real-world impact, such as privilege escalation, sensitive information disclosure, or the ability to affect resources not owned by the tenant/team they are associated with. This includes recognizing that the Tines Intelligent Workflow platform is designed to allow Tenant Owners full control over resources within their specific tenant.\n\nRegarding the Tines run-script feature, before submitting a potential vulnerability report, please assess if the team/tenant isolation is able to be compromised or escaped from. For more information on the run-script feature please see our extensive documentation.\nhttps://www.tines.com/docs/actions/tools/run-script/\nhttps://www.tines.com/blog/python-tines-how-to-guide/\n\nYou can find more information regarding security at Tines here:\nhttps://www.tines.com/security/\n\n#Out of Scope  \n\n* HTTPS / TLS security headers suggestions\n* Direct testing of 3rd parties\n* SPF / DMARC / DKIM / DNSSEC suggestions\n* Banner/version disclosure\n* Social engineering / phishing / spam\n\n# Program Rules\n* Please see the Test Plan below for information on account creation.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for a free account through our website\n* All researchers are **required to use their hacker email alias  or the `X-HackerOne-Research` header** when testing (h1username@wearehackerone.com)\n* Researchers using `@gmail.com` or any other domain other than their hacker email alias, without also using the provided headers, are subject to Tines account deletion and possible program exclusion\n\n## Session Layer: HTTP Headers\nResearchers **must add headers to requests if not using the `@wearehackerone.com` email alias**, such as: \n* “X-HackerOne-Research: [H1 username]”\n\nThank you for helping keep Tines and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Tines looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-03T21:07:05.203Z"},{"id":3769205,"new_policy":"#We ask that you adhere to the following guidelines:\n\n**Please use the following paths for new account signup \u0026 login!** If you are using your HackerOne email alias or the `X-HackerOne-Research: [H1 username]` as outlined in the \"Test Plan\" \u0026 \"Session Layer\" sections of the program guidelines below, you will be redirected to the listed paths.\nhttps://login.tines.com/research/signup\nhttps://login.tines.com/research/login\n\nYou may also use the attached Burp Suite project setting config (F5313538), or add the provided ZAP replace config at the end of your \"replacer\" element within the XML config (F5313534) which can be found in ZAP (Help \u003e Support Info... \u003e Scroll to the bottom and find \"ZAP Home Directory\" \u003e In the ZAP home directory open `config.xml\" \u003e search for \"replacer\" \u003e add the rule at the end of the element). In either scenario, please modify the `[H1 researcher]` placeholder value to match your specific username.\n\n*Do not disclose the vulnerability outside of the VDP\n*Do not violate any laws\n*Do not disrupt services (DoS/DDoS)\n*Do not access, modify, or destroy any accounts or data that do not belong to you\n\nTines has extensive documentation of our features \u0026 API's, and their intended uses, available on our marketing site.\nhttps://www.tines.com/docs/quickstart/\nhttps://www.tines.com/api/welcome/\n\nWhen submitting reports on potential vulnerabilities, please consider the real-world implications of the potential vulnerability and if the report indicates a real-world impact, such as privilege escalation, sensitive information disclosure, or the ability to affect resources not owned by the tenant/team they are associated with. This includes recognizing that the Tines Intelligent Workflow platform is designed to allow Tenant Owners full control over resources within their specific tenant.\n\nRegarding the Tines run-script feature, before submitting a potential vulnerability report, please assess if the team/tenant isolation is able to be compromised or escaped from. For more information on the run-script feature please see our extensive documentation.\nhttps://www.tines.com/docs/actions/tools/run-script/\nhttps://www.tines.com/blog/python-tines-how-to-guide/\n\nYou can find more information regarding security at Tines here:\nhttps://www.tines.com/security/\n\n#Out of Scope  \n\n* HTTPS / TLS security headers suggestions\n* Direct testing of 3rd parties\n* SPF / DMARC / DKIM / DNSSEC suggestions\n* Banner/version disclosure\n* Social engineering / phishing / spam\n\n# Program Rules\n* Please see the Test Plan below for information on account creation.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for a free account through our website\n* All researchers are **required to use their hacker email alias  or the `X-HackerOne-Research` header** when testing (h1username@wearehackerone.com)\n* Researchers using `@gmail.com` or any other domain other than their hacker email alias, without also using the provided headers, are subject to Tines account deletion and possible program exclusion\n\n## Session Layer: HTTP Headers\nResearchers **must add headers to requests if not using the `@wearehackerone.com` email alias**, such as: \n* “X-HackerOne-Research: [H1 username]”\n\nThank you for helping keep Tines and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Tines looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-03T21:04:51.890Z"},{"id":3769199,"new_policy":"#We ask that you adhere to the following guidelines:\n\n**Please use the following paths for new account signup \u0026 login!** If you are using your HackerOne email alias or the `X-HackerOne-Research: [H1 username]` as outlined in the \"Test Plan\" \u0026 \"Session Layer\" sections of the program guidelines below, you will be redirected to the listed paths.\nhttps://login.tines.com/research/signup\nhttps://login.tines.com/research/login\n\nYou may also use the attached Burp Suite project setting config (F5313538), or add the provided ZAP replace config at the end of your \"replacer\" element within the XML config (F5313534) which can be found in ZAP (Help \u003e Support Info... \u003e Scroll to the bottom and find \"ZAP Home Directory\" \u003e In the ZAP home directory open `config.xml\" \u003e search for \"replacer\" \u003e add the rule at the end of the element)\n\n*Do not disclose the vulnerability outside of the VDP\n*Do not violate any laws\n*Do not disrupt services (DoS/DDoS)\n*Do not access, modify, or destroy any accounts or data that do not belong to you\n\nTines has extensive documentation of our features \u0026 API's, and their intended uses, available on our marketing site.\nhttps://www.tines.com/docs/quickstart/\nhttps://www.tines.com/api/welcome/\n\nWhen submitting reports on potential vulnerabilities, please consider the real-world implications of the potential vulnerability and if the report indicates a real-world impact, such as privilege escalation, sensitive information disclosure, or the ability to affect resources not owned by the tenant/team they are associated with. This includes recognizing that the Tines Intelligent Workflow platform is designed to allow Tenant Owners full control over resources within their specific tenant.\n\nRegarding the Tines run-script feature, before submitting a potential vulnerability report, please assess if the team/tenant isolation is able to be compromised or escaped from. For more information on the run-script feature please see our extensive documentation.\nhttps://www.tines.com/docs/actions/tools/run-script/\nhttps://www.tines.com/blog/python-tines-how-to-guide/\n\nYou can find more information regarding security at Tines here:\nhttps://www.tines.com/security/\n\n#Out of Scope  \n\n* HTTPS / TLS security headers suggestions\n* Direct testing of 3rd parties\n* SPF / DMARC / DKIM / DNSSEC suggestions\n* Banner/version disclosure\n* Social engineering / phishing / spam\n\n# Program Rules\n* Please see the Test Plan below for information on account creation.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for a free account through our website\n* All researchers are required to use their **hacker email alias** when testing (h1username@wearehackerone.com)\n* Researchers using `@gmail.com` or any other domain other than their hacker email alias are subject to Tines account deletion, and possible program exclusion\n\n## Session Layer: HTTP Headers\nResearchers **must add headers to requests if not using the `@wearehackerone.com` email alias**, such as: \n* “X-HackerOne-Research: [H1 username]”\n\nThank you for helping keep Tines and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Tines looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-03T20:40:39.053Z"},{"id":3769076,"new_policy":"#We ask that you adhere to the following guidelines:\n\n*Do not disclose the vulnerability outside of the VDP\n*Do not violate any laws\n*Do not disrupt services (DoS/DDoS)\n*Do not access, modify, or destroy any accounts or data that do not belong to you\n\nTines has extensive documentation of our features \u0026 API's, and their intended uses, available on our marketing site.\nhttps://www.tines.com/docs/quickstart/\nhttps://www.tines.com/api/welcome/\n\nWhen submitting reports on potential vulnerabilities, please consider the real-world implications of the potential vulnerability and if the report indicates a real-world impact, such as privilege escalation, sensitive information disclosure, or the ability to affect resources not owned by the tenant/team they are associated with. This includes recognizing that the Tines Intelligent Workflow platform is designed to allow Tenant Owners full control over resources within their specific tenant.\n\nRegarding the Tines run-script feature, before submitting a potential vulnerability report, please assess if the team/tenant isolation is able to be compromised or escaped from. For more information on the run-script feature please see our extensive documentation.\nhttps://www.tines.com/docs/actions/tools/run-script/\nhttps://www.tines.com/blog/python-tines-how-to-guide/\n\n#Out of Scope  \n\n* HTTPS / TLS security headers suggestions\n* Direct testing of 3rd parties\n* SPF / DMARC / DKIM / DNSSEC suggestions\n* Banner/version disclosure\n* Social engineering / phishing / spam\n\n# Program Rules\n* Please see the Test Plan below for information on account creation.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for a free account through our website\n* All researchers are required to use their **hacker email alias** when testing (h1username+HOonboarding@wearehackerone.com)\n* On account creation, utilize the `+HOonboarding` appendage , eg. ABC+HOonboarding@wearehackerone.com\n* Researchers using `@gmail.com` or any other domain other than their hacker email alias are subject to Tines account deletion, and possible program exclusion\n\n## Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\nThank you for helping keep Tines and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Tines looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-30T23:54:11.561Z"},{"id":3769075,"new_policy":"#We ask that you adhere to the following guidelines:\n\n*Do not disclose the vulnerability outside of the VDP\n*Do not violate any laws\n*Do not disrupt services (DoS/DDoS)\n*Do not access, modify, or destroy any accounts or data that do not belong to you\n\nTines has extensive documentation or our features \u0026 API's, and their intended uses, available on our marketing site.\nhttps://www.tines.com/docs/quickstart/\nhttps://www.tines.com/api/welcome/\n\nWhen submitting reports on potential vulnerabilities, please consider the real-world implications of the potential vulnerability and if the report indicates a real-world impact, such as privilege escalation, sensitive information disclosure, or the ability to affect resources not owned by the tenant/team they are associated with. This includes recognizing that the Tines Intelligent Workflow platform is designed to allow Tenant Owners full control over resources within their specific tenant.\n\nRegarding the Tines run-script feature, before submitting a potential vulnerability report, please assess if the team/tenant isolation is able to be compromised or escaped from. For more information on the run-script feature please see our extensive documentation.\nhttps://www.tines.com/docs/actions/tools/run-script/\nhttps://www.tines.com/blog/python-tines-how-to-guide/\n\n#Out of Scope  \n\n* HTTPS / TLS security headers suggestions\n* Direct testing of 3rd parties\n* SPF / DMARC / DKIM / DNSSEC suggestions\n* Banner/version disclosure\n* Social engineering / phishing / spam\n\n# Program Rules\n* Please see the Test Plan below for information on account creation.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for a free account through our website\n* All researchers are required to use their **hacker email alias** when testing (h1username+HOonboarding@wearehackerone.com)\n* On account creation, utilize the `+HOonboarding` appendage , eg. ABC+HOonboarding@wearehackerone.com\n* Researchers using `@gmail.com` or any other domain other than their hacker email alias are subject to Tines account deletion, and possible program exclusion\n\n## Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\nThank you for helping keep Tines and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Tines looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-30T23:53:08.134Z"},{"id":3768721,"new_policy":"#We ask that you adhere to the following guidelines:\n\n*Do not disclose the vulnerability outside of the VDP\n*Do not violate any laws\n*Do not disrupt services (DoS/DDoS)\n*Do not access, modify, or destroy any accounts or data that does not belong to you\n\n#Out of Scope  \n\n* HTTPS / TLS security headers suggestions\n* Direct testing of 3rd parties\n* SPF / DMARC / DKIM / DNSSEC suggestions\n* Banner/version disclosure\n* Social engineering / phishing / spam\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* On account creation, utilize the `+HOonboarding` appendage , eg. ABC+HOonboarding@wearehackerone.com\n* All researchers are required to use their **hacker email alias** when testing (h1username+HOonboarding@wearehackerone.com)\n* Researchers using `@gmail.com` or any other domain other than their hacker email alias are subject to Tines account deletion, and possible program exclusion\n\n* Users are able to sign up for a free account through our website\n* Claim credentials (when applicable) for additional testing\n\n## Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\nThank you for helping keep Tines and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Tines looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-23T17:24:53.646Z"},{"id":3768519,"new_policy":"#We ask that you adhere to the following guidelines:\n\n*Do not disclose the vulnerability outside of the VDP\n*Do not violate any laws\n*Do not disrupt services (DoS/DDoS)\n*Do not access, modify, or destroy any accounts or data that does not belong to you\n\n#Out of Scope  \n\n* HTTPS / TLS security headers suggestions\n* Direct testing of 3rd parties\n* SPF / DMARC / DKIM / DNSSEC suggestions\n* Banner/version disclosure\n* Social engineering / phishing / spam\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n* Only interact with accounts you own or with the explicit permission of the account holder.\n\n# Test Plan\n* Users are able to sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* Claim credentials (when applicable) for additional testing\n\n## Session Layer: HTTP Headers\nResearchers should add headers to requests such as: \n* “X-HackerOne-Research: [H1 username]”\n\nThank you for helping keep Tines and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-01-20T14:52:45.831Z"}]