Coordinated Vulnerability Disclosure

Last updated on November 1, 2023

Tamr is committed to maintaining the security of our products, services, systems, and customers’ information. A Coordinated Vulnerability Disclosure (CVD) Program is an inherent part of this effort. 

If you believe you have discovered a potential security vulnerability or bug within any of Tamr’s publicly available resources, systems, services, or products, please share it with us by following the submission guidelines below. Thank you in advance for your submission; we appreciate researchers assisting us in our security efforts. 

Note: Tamr does not operate a public bug bounty program, and we make no offer of reward or compensation in exchange for submitting potential issues.

CVD Program Guidelines

We request that researchers observe the following guidelines when investigating and reporting potential vulnerabilities:

  • Avoid activities that can potentially cause harm to Tamr, our customers, or our employees.
  • Avoid activities that can potentially stop or degrade Tamr’s services or assets.
  • Avoid activities that violate (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.
  • Do not store, share, compromise, or destroy Tamr or customer data. If you encounter Personally Identifiable Information (PII), immediately halt your activity, purge related data from your system, and immediately contact Tamr. This step protects any potentially vulnerable data, and you.
  • Provide Tamr reasonable time to fix any reported issues, and notify Tamr in writing before such information is shared with a third party or disclosed publicly.

By responsibly submitting your findings to Tamr in accordance with these guidelines, Tamr agrees not to pursue legal action against you. Tamr reserves all legal rights in the event of non-compliance with these guidelines.

CVD Process

  1. Once a vulnerability report is submitted by a Finder (see Submission Format and Submission Instructions), it is shared with the Tamr Information Security team. This team triages the vulnerability and shares the report with the Head of Data Security and the Tamr Product team. 
  2. The vulnerability is assessed, and either accepted or rejected as to its validity.
  3. If the vulnerability report is assessed as valid, Tamr aims to resolve all valid vulnerabilities as soon as possible following Tamr’s vulnerability policy.

Out-of-Scope Vulnerabilities

Certain vulnerabilities are considered out of scope for our Coordinated Vulnerability Disclosure Program. Out-of-scope vulnerabilities include the following:

  • Physical Testing
  • Social Engineering
  • Phishing and it’s variants 
  • Denial of service attacks
  • Resource Exhaustion Attack
  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Rate limiting or bruteforce issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies.
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing
  • Open redirect, unless an additional security impact can be demonstrated.
  • Issues that require unlikely user interaction.
  • Broken links on www.tamr.com

Submission Format

When reporting a potential vulnerability, please include sufficient information for us to validate and reproduce the issue, including the following:

  • The service, resource, site, or system affected. Please include the URL, IP address, resource, or product name.
  • A detailed description of the vulnerability and steps taken. We welcome screen captures, test data, and logs.
  • Tools and versions that were used to discover the vulnerability.
  • Projected impact of the vulnerability and likely attack scenario.

In addition, we would appreciate:

  • Proof of Concept (PoC):Instructions demonstrating how the vulnerability might be exploited.
  • Remediation, mitigation, or corrective actions of how to fix the vulnerability.

Submission Instructions

Email us at security@tamr.com.

Hall of Fame

This section lists Finders who have contributed to increasing the security of the Tamr platform by submitting vulnerability reports. This Hall of Fame allows Tamr to recognize and acknowledge the positive impact the Finder has made on cybersecurity.

Entry to the Hall of Fame is optional and is at the discretion of the Finder and Tamr.

Tamr would like to thank the following people for making a responsible disclosure to us and recognize their contribution to increasing security in standards: