Help

Responsible Disclosure

Introduction

Tiqets is an innovative ticketing platform and our mission is to make culture more accessible. We implement this mission by providing instant ticket delivery, mobile entry to venues, 24/7 customer support, and content in more than 10 languages.

We work hard to keep our systems and applications secure. Despite our efforts to keep the highest standard of security for our systems, there can still be vulnerabilities.

We value the assistance of the security community in identifying these issues to help keep our applications and systems secure.

If you’ve found a security vulnerability

If you’ve found a vulnerability in one of our systems or applications, please get in touch so we can take steps to address it as quickly as possible.

What we promise

  • If you have followed the instructions below, we will not take any legal action against you in regard to the report.
  • We will handle your report with strict confidentiality – we won’t pass on your personal details to third parties without your permission.
  • We will keep you informed during the process of resolving the problem.
  • We strive to resolve any problems as quickly as possible and would like to play an active role in their ultimate publication after they’re resolved.

Please do the following

  • E-mail your findings to responsible-disclosure@tiqets.com.
  • Provide your name, email address, and/or telephone number.
    • Reporting under a pseudonym is always possible, but please ensure that we can contact you in case we have additional questions.
  • Provide sufficient information to reproduce the problem, so our security team can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  • Erase all data obtained through the vulnerability as soon as it is reported to our security team.
  • Read our guidelines below.

Guidelines

  • Do not reveal the problem to others until it has been resolved.
  • Do not take advantage of the vulnerability or problem you have discovered by unnecessarily copying, deleting, adapting or viewing data, or by downloading more data than necessary to demonstrate the vulnerability.
  • Do not generate a lot of unpaid orders.
  • Use of automated scanners and tools to find vulnerabilities is strictly not allowed.
  • If you manage to book a ticket for free, you should not continue to book more tickets.
  • In the event that you bypass our security systems, do not make changes.
  • Do not generate a flood of errors in our monitoring by excessively using automated scanning tools.
  • We don’t reply to beg bounties: without disclosing the issue, your report will not be processed.

If you wish to publish information about the vulnerability you found, we ask that you notify us at least one month before publication and to give us the opportunity to respond. Identifying Tiqets in a publication is only possible after we have given our explicit approval.

Non-qualifying bugs

  • Automated scan reports
  • Open HTTP redirections
  • Missing HTTP security headers and cookie flags on insensitive cookies
  • Rate-limit or brute-force attacks
  • DoS or DDoS attacks
  • Phishing or spam attacks (including SPF/DKIM/DMARC-related issues)
  • Vulnerabilities found in third-party services
  • Issues requiring direct physical access to the victim’s machine or device
  • Placing malware (virus, worm, Trojan horse, etc.).
  • Use of automated scanners without requesting explicit permission.

Rewards

As a token of our gratitude for your assistance, we may offer a reward for reports of security problems that are not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report.

We don't reward without prior review by our security team.