Security Vulnerability Disclosure Policy

If you discover a security vulnerability on tutadeal.com, we encourage you to report it immediately. We review all legitimate reports carefully and work quickly to resolve any issues responsibly. Please read the following guidelines before submitting your report:

Fundamentals

To ensure we handle your report appropriately and avoid legal issues, please follow these principles:

  • Allow us a reasonable time to investigate and fix the vulnerability before publicly disclosing any details.

  • Do not access, modify, or interact with private accounts or data without the owner’s consent.

  • Make a good faith effort to avoid violating user privacy, disrupting services, or damaging data.

  • Do not exploit the vulnerability for any purpose beyond reporting, including demonstrating additional risk or attempting further attacks.

  • Comply with all applicable laws and regulations.

Bounty Program

We value security researchers who help keep our platform safe. Rewards are offered at our discretion, based on factors such as risk, impact, and the quality of the report.

To be eligible for a bounty:

  • Follow the fundamentals listed above.

  • Report a genuine security vulnerability that poses a privacy or safety risk.

  • Submit your report through our official security contact—do not contact employees directly.

  • Disclose any accidental data access or disruption in your report.

  • We review all valid reports but prioritize based on severity and volume.

  • We reserve the right to publish vulnerability reports.

Reward Guidelines

Rewards depend on the vulnerability’s impact, exploitability, and report clarity. Only detailed, reproducible reports are eligible.

  • Provide clear, detailed reports with reproducible steps.

  • The first valid report of a duplicate issue is eligible for a reward.

  • Multiple vulnerabilities from a single root cause count as one issue.

  • Final reward amounts are at our discretion.

Reward Tiers

Critical Severity – Up to $200
Examples include:

  • Remote code execution

  • Privilege escalation to admin

  • SQL injection exposing sensitive data

  • Full account takeover

  • Remote shell access

High Severity – Up to $100
Examples include:

  • Lateral authentication bypass

  • Exposure of sensitive internal information

  • Stored cross-site scripting (XSS) affecting other users

  • Local file inclusion

  • Insecure handling of authentication cookies

Medium Severity – Up to $50
Examples include:

  • Business logic flaws

  • Insecure object references

Low Severity – Discretionary
Examples include:

  • Open redirects

  • Reflected XSS

  • Low-impact data exposure

Contact

To report a vulnerability, please email us at: contact@tutadeal.com

We appreciate your help in keeping our platform secure.