Security and Bug Reporting Program | Stackby - Spreadsheet Database Platform | Home

Bug Bounty Program

Security Exploit Bounty Program - $5 to $25 depending on the severity

Responsible Disclosure

We, at Stackby take security of user data and communication very seriously. In order to maintain the best security for our service, we welcome responsible disclosure of any vulnerability you find in Stackby. Principles of responsible disclosure include, but are not limited to:

  • Accessing or exposing only your own data in your account
  • Avoid any techniques that will lead to disruption of service (eg. scanning techniques, overloading the site etc.)
  • Follow our terms of service
  • Keep the vulnerability a secret, until you notify us and reasonable time has been given to us to fix the vulnerability.

In order to be eligible for the bounty, your submission must be accepted to be valid by Stackby. We use the guidelines below to determine validity of the requests and reward the compensation.


Our engineers must be able to reproduce the security flaw from your disclosure report. Any report that is too vague or unclear are not eligible for a reward. Well written disclosure report, with images, video links, proper descriptions and working code are most likely to get rewards.


More severe the bugs, greater the rewards upto $25/reward. We're most interested in vulnerabilities with our web version of Other subdomains related to the are not eligible for the rewards, unless it affects our main app version of and it's underlying customer data. Please make sure the vulnerabilities are global, and not only for a particular user that it affects. It won't qualify for rewards unless it's not global.

Access to Staging 

In order to find security vulnerabilities, please sign up on our staging server - and confirm with us your email that you’ve signed up at Do not use our main server - to find security vulnerabilities. 

Examples of Qualifying Vulnerabilities

  • Authentication flaws
  • Circumvention of our Platform/Privacy permissions model
  • Clickjacking
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • Mixed-content scripts after signup on
  • Server-side code execution

Examples of Non-Qualifying Vulnerabilities

  • Denial of Service vulnerabilities (DOS)
  • Possibilities to send malicious links to people you know
  • Security bugs in third-party websites that integrate with Stackby
  • Mixed-content scripts on Stackby
  • Insecure cookies on
  • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
  • Vulnerability that is isolated to only a user's teams


  • Only 1 bounty per 1 vulnerability report
  • If we get same vulnerability report from multiple people, the person offering first clear report will receive the reward
  • Rewards are based on severity, quality of report, impact etc.

To receive a reward, you must reside in a country, not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and Stackby reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion. Note that we will only give out rewards via PayPal.