Vulnerability Responsible Disclosure Version 1.1 -
Published Tue, 31 October, 2023
Responsible Disclosure Program
If you have discovered or believe you have discovered a potential security vulnerability, we encourage you to disclose it in accordance with this responsible disclosure program.
We will work with you to validate and respond to security vulnerabilities that you report to us. Because public disclosure of a security vulnerability could put the entire Tabnine community at risk, we require that you keep such potential vulnerabilities confidential until we are able to address them. We will not take legal action against you or suspend or terminate your access to any Tabnine services, provided that you discover and report security vulnerabilities in accordance with this Responsible Disclosure Program. Tabnine reserves all of its legal rights in the event of any noncompliance.
Discovering Security Vulnerabilities
Please read this carefully to ensure you understand both the allowed and disallowed methods for discovery. Tabnine reserves all of its legal rights in the event of any noncompliance.
We encourage responsible security research on the Tabnine website - www.tabnine.com, and all sub-domains, Tabnine Cloud services, and other Tabnine web services and standalone software libraries. We allow you to conduct vulnerability research and testing on the Tabnine Cloud services to which you have authorized access. Authorized access includes Tabnine Cloud services that you have purchased, Tabnine Cloud account management for your account, or company owned account.
In no event shall your research and testing involve:
- Accessing, or attempting to access, accounts or data that does not belong to you or your Authorized Users.
- Any attempt to modify or destroy any data.
- Executing, or attempting to execute, a denial-of-service attack, whether intentional or unintentional.
- Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages.
- Testing third party websites, applications or services that integrate with the Tabnine Cloud services or self-hosted services.
- Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software, or otherwise attempting to interrupt or degrade Tabnine Cloud services or other Tabnine web services including the Tabnine website.
- Any activity that violates any applicable law.
Please take the time to read and understand each of the above points. In the event that you do not have adequate clarity on the method of your discovery, please inquire before proceeding to ensure compliance.
Reporting a Vulnerability
We encourage anyone that believes they have found a security vulnerability in our website, Tabnine Cloud, Tabnine, or other Tabnine web services, to responsibly disclose the issue.
If you can get Tabnine to do something it isn't supposed to do that causes it to lose data integrity, availability, leak information, or provide unauthorized access to APIs or data - you found a vulnerability and we want to know about it.
Please do these things, it will serve us both.
- Read and carefully review the Discovering Security Vulnerabilities section above.
- Submit your disclosure to security@tabnine.com.
- Include a clear description of the vulnerability, how it works and the impact of the exploit.
- Include a working example, or extensive documentation. Screenshots, or videos may provide supporting evidence, but are not adequate by themselves. The more details the better.
- Provide proof that the reported vulnerability can be exploited.
- Verify your claims are correct and valid, each claim should be supported by the documented recreate steps.
Please don't do any of these things, it won't help either of us.
- Demand status updates on existing submissions. We will do our best to be timely.
- Ask for ransom, or any suggested bounty. Don't be that guy.
- Send a link to a best practice unless you can demonstrate a workable exploit that would be solved by the linked content.
- Describe a theoretical vulnerability, we deal mostly in the real world.
It may take us from 1-2 weeks to review the report and verify the vulnerability. If your report does not meet the submission guidelines, or does not adequately prove a vulnerability the report will be rejected.
In most cases, when a report is rejected, the Tabnine security team will respond to ask for additional clarification or evidence. However, if it is clear that the reporter has not invested any reasonable amount of time to follow the submission guidelines, no response will be offered. We value your time and effort, we ask that you do the same for us.
Once we determine a report has identified a real vulnerability you can expect that we will let you know we have accepted your report.