Vulnerability Disclosure Policy
Last Update:Brand Promise
Taboola, Inc., together with its affiliates (“Taboola”, “we”, “us”, or “our”) is committed to working
with security researchers to verify and address any potential vulnerabilities in our services that are
reported to us in accordance with this Vulnerability Disclosure Policy (“Policy”). We hope to foster
an open partnership with the security community, and we recognize that the work the community
does is important in continuing to ensure the safety and security of our customers, users, and
partners.
We have developed this Policy to both reflect our corporate values and to uphold our legal
responsibility to good-faith security researchers that are providing us with their expertise and
security suggestions.
Program & Scope
We ask that all security researchers submit vulnerability reports about any of the following
(collectively, the “Services”):
- Our website, www.taboola.com, the websites of our affiliates and subsidiaries (including Connexity, Skimlinks and Gravity R&D), or any Taboola website displaying our Privacy Policy
(collectively the “Sites”) - Our content discovery platforms, feeds, widgets, analytics tools, and other technical
applications that we provide on third-party websites (collectively, the “Content Discovery
Platform”) - The Taboola News suite of content-discovery tools available on mobile devices and
operating systems (including the Start line of products, collectively “Taboola News”)
Legal Posture
We openly accept vulnerability reports for the Services, and Taboola will not engage in legal action
against individuals who submit vulnerability reports in accordance with this Policy. We agree not to
pursue legal action against individuals who:
- Engage in vulnerability testing within the scope of this Policy.
- Engage in vulnerability testing involving only the Services.
- Engage in vulnerability testing without affecting or harming Taboola or its customers, users,
or partners. - Adhere to the laws of their location and the location of Taboola. For example, violating laws
that would only result in a claim by Taboola (and not a criminal claim) may be acceptable as
Taboola is authorizing the activity (reverse engineering or circumventing protective
measures) to improve the Services. - Refrain from disclosing vulnerability details to the public before a mutually agreed-upon
timeframe expires.
How to Report a Vulnerability
Please report the details of any suspected or detected vulnerabilities by submitting a vulnerability
report to Taboola’s Security Team at bountyprogram@taboola.com including all the following five
(5) elements:
Taboola, Inc. 16 Madison Square West, 7th fl. New York, New York 10010
- The date you tested for and found the vulnerability
- Any steps necessary to reproduce the vulnerability
- Supporting screenshot(s) in JPEG format (when relevant)
- A short description of the potential impact
- The following affirmative statement:
I HAVE READ AND UNDERSTAND AND AGREE TO THE TERMS OF TABOOLA’S VULNERABILITY
DISCLOSURE POLICY (“POLICY”). I AGREE TO THE TABOOLA TERMS OF USE. I HAVE
COMPLIED AND WILL COMPLY WITH THE RULES OF THE POLICY AND THE TERMS OF USE. I
HAVE NOT DISCLOSED THIS SUBMISSION TO ANYONE. I DISCOVERED IT MYSELF. I WILL NOT
DISCLOSE THIS SUBMISSION TO ANYONE.
Preference, Prioritization, and Acceptance Criteria
We will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
- Well-written reports in English will have a higher chance of resolution.
- Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower
priority. - Reports that include products not listed under Program & Scope may receive lower priority.
- Please include how you found the vulnerability, the impact, and any potential remediation.
- Please include any plans or intentions for public disclosure.
What you can expect from us:
- A timely response to your submission (within 10 business days).
- After triage, we will send an expected remediation timeline, and commit to being as
transparent as possible about such timeline, as well as on issues or challenges that may
extend it. - An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
- Recognition after the vulnerability has been validated and resolved.
Rewards
We may reward submissions that help keep the Services safe and secure, provided that they
adhere to this Policy. Whether a reward is offered or not is at our sole and absolute discretion.
Rewarding might take up to 90 business days.