Bug Bounties

Airtable

Powered by: 

Allows bounty splitting: 

Average time to first program response: 

Average time to bounty awarded null: 

Average time to report resolved: 

Handle airtable

Managed program: true

Name: Airtable

Offers bounties: true

Offers swag: false

Response efficiency percentage: 100

Submission state: open

Url: https://hackerone.com/airtable

Website: https://staging.airtable.com/

In scope:

  • Asset identifier: *.staging-airtableblocks.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: IMPORTANT: this domain is NOT eligible for stored XSS via building custom apps/blocks functionality.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: *.staging.airtable.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: airtable.js SDK (https://www.npmjs.com/package/airtable)
  • Asset type: SOURCE_CODE
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: - Install `airtable.js` via `npm install airtable` - Visit https://staging.airtable.com/account and generate an API key - Create a new Javascript file and add the following lines: ```javascript const Airtable = require('airtable'); const airtable = new Airtable({ apiKey: 'PUT YOUR API KEY HERE', endpointUrl: 'https://api-staging.airtable.com', // IMPORTANT: you MUST set the endpointUrl attribute to this URL, or else you will be testing on airtable.com, which is out of scope }); ``` See https://staging.airtable.com/api for instructions on how to use the API, as well as [the source code on Github](https://github.com/airtable/airtable.js) Please note that reports about outdated/vulnerable dependencies flagged by `npm audit` or `yarn audit` are **out of scope**. Vulnerabilities discovered via manual code audits are acceptable.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: api-staging.airtable.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: Go to https://staging.airtable.com/account to generate an API key. See https://staging.airtable.com/api for API documentation per base.
  • Integrity requirements: 
  • Max severity: critical



  • Asset identifier: staging.airtable.com
  • Asset type: URL
  • Availability requirement: 
  • Confidentiality requirement: 
  • Eligible for bounty: true
  • Eligible for submissions: true
  • Instruction: 
  • Integrity requirements: 
  • Max severity: critical