At Smoobu, we take data integrity and security very seriously. Due to the nature of the product and service we provide, we are committed to working with individuals to stay updated on the latest security techniques and fix any security weakness in our application or infrastructure reported to us responsibly by external parties.

Eligibility Criteria

To be eligible for a reward,

Be the first to report the issue to us.

House rules can also help your guests if they are unsure about some things – such as how to operate appliances.

Subject to the Sections below, the submitted vulnerability must have a demonstrable impact in Smoobu’s context. We use CVSS v3 as the vulnerability scoring framework.

Must contain sufficient information including a proof of concept screenshot, video, or code snippet where needed.

The person submitting the request must not be an employee, former employee or an immediate relative of an employee or former employee of Smoobu.

You must comply with the Program terms and conditions.


The following are in scope for the purposes of this policy and subject to the terms of this policy, are eligible for a reward:




Out of Scope

Anything not defined in the “Scope” section above.

Reports from automated tools or scans

Non – Acceptable Category

There are some submissions that we can’t accept for rewards. These are typically issues that we already are aware of, or issues that we think demonstrate business value that outweighs the low-level risk, or low-risk issues that are unlikely to result in a code change. Following vulnerability, classes are ineligible for rewards

Denial of Service



Malicious File Upload

Social engineering

Email Spamming / Spoofing

Content Spoofing

Clickjacking and issues are only exploitable through clickjacking that has minimal impact.

CSRF on forms that are available to anonymous users(e.g. the contact form)

CSRF with negligible security impact (e.g. adding to favourites)

Software version number disclosure

Username or Site Name enumeration

Unvalidated Open Redirects or Tab Nabbing

HTML injection

Username or email address enumeration

Phishing attack using RTLO, Unicode/Punycode

Any security weakness or missing best practice without a demonstrable security impact

Descriptive error messages.

Information disclosure with minimal security impact (e.g. stack traces, path disclosure, directory listings, logs, robots.txt, etc)

Clickjacking and issues are only exploitable through clickjacking that has minimal impact.

Lack of Secure and HTTPOnly cookie flags.

Weak or missing captcha/captcha bypass.

SSL Attacks such as BEAST, BREACH, Renegotiation attack

SSL Forward secrecy not enabled

SSL Insecure cypher suites.

Missing HTTP security headers (including Anti-MIME-Sniffing header X-Content-Type-Options) that do not lead to direct exploitation.

XSS was only possible by an administrator e.g. administrators can modify HTML templates, that is not an example of an XSS vulnerability.

Self-XSS that has no security impact e.g. injecting HTML into your own RTE editor

Reports of third-party libraries without an actual proof-of-concept. e.g. if you are aware of a vulnerable library, then you need to submit a proof-of-concept showing that our use of the library is vulnerable.

Terms and Conditions

By submitting a security vulnerability to Smoobu, you acknowledge that you have read and agreed to the Terms and Conditions provided below. You agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Smoobu’s prior written approval.

1.1 You shall:

  • Comply with all applicable laws, regulations and rules, including export compliance laws and ensure you have all necessary rights relating to your participation and actions at all times;
  • Ensure you have all permissions, consents and rights necessary to allow Smoobu to use your findings for Smoobu’s business purposes without any restrictions or liability and grant to Smoobu a perpetual, irrevocable, transferable, worldwide and royalty-free license to use, copy, modify, adapt, disclose, transfer develop or otherwise exploit (including commercially) any of your findings;
  • Waive all claims against Smoobu or any third party with respect to your findings;
  • Not exploit any vulnerabilities, including by disclosing vulnerabilities to any third parties or publicly, without the prior written consent of Smoobu;
  • Not leverage any vulnerabilities against Smoobu or any third party in any manner, including to make any threats or ransom requests;
  • Not access or use any Smoobu customer account or information;
  • Use only a Smoobu account specifically created for this purpose if a Smoobu account is required to detect or test any vulnerability, which account shall be subject to these terms and conditions and the use restrictions in Smoobu’s online terms of service;
  • Take all steps to ensure that the testing interfere with or interrupt a Smoobu customer’s access to and use of Smoobu product or otherwise adversely affecting Smoobu product or its business, and immediately notify Smoobu in case you suspect any of the foregoing;
  • Not modify, copy, download, delete, compromise, adapt, tamper or otherwise process or misuse any data of Smoobu customer or any other non-public information, or engage in any act/omission that causes harm, liability or disrepute to Smoobu, its customers or partners, including incurring the loss of funds for Smoobu customer;
  • Limit your actions to those strictly necessary to detect and test vulnerabilities in Smoobu products;

1.2 Smoobu reserves the right to determine what constitutes a valid vulnerability submission that is entitled to a bounty. A valid vulnerability submission shall be rewarded with such amount as Smoobu deems appropriate. You shall be responsible for any taxes applicable to the bounty payment, including for payment of the same to the appropriate tax authorities unless otherwise required under applicable law.

1.3 Smoobu reserves the right to modify this policy and the terms and conditions herein at any time without notice, including discontinuation of the policy at any time. Any dispute relating to this policy shall be resolved amicably between the Parties. Smoobu’s decision shall be final with respect to any interpretation of the policy.

Submit a Vulnerability

Click or drag files to this area to upload. You can upload up to 5 files.