TicketDaddy

TicketDaddy

  • Events
  • Travel
  • Become a Host
  • Twitter (X)
  • Company
  • Investors
  • Policies
  • News
  • Careers
  • Log in

Vulnerability Disclosure Policy

TicketDaddy welcomes and encourages coordinated security research. If you believe you have found a security vulnerability in our platform, we ask that you disclose it responsibly by following this policy. We commit to working with researchers who act in good faith.

Effective: 24 March 2026 · Last updated: 24 March 2026

In-Scope Assets

The following systems and services are in scope for security testing:

  • ticketdaddy.io and all subdomains (*.ticketdaddy.io)
  • TicketDaddy mobile applications (iOS and Android)
  • TicketDaddy public APIs (api.ticketdaddy.io)
  • Smart contracts deployed by TicketDaddy

Qualifying Vulnerabilities

We are particularly interested in the following vulnerability classes:

  • Remote code execution (RCE) or server-side request forgery (SSRF)
  • SQL injection, NoSQL injection, or other injection flaws
  • Cross-site scripting (XSS) with demonstrable impact
  • Authentication or authorization bypass (broken access control)
  • Insecure direct object references (IDOR) exposing user data
  • Cryptographic weaknesses leading to data exposure
  • Smart contract vulnerabilities (re-entrancy, integer overflow, logic errors)
  • Payment or ticketing logic flaws (price manipulation, duplicate redemption)
  • Privilege escalation between user roles (attendee, organizer, admin)

Out of Scope

The following issues are generally not eligible unless you can demonstrate a concrete, exploitable security impact:

  • Missing security headers without a demonstrated exploit
  • Clickjacking on pages with no sensitive actions
  • Content spoofing or text injection without demonstrable risk
  • CSRF on unauthenticated forms or logout functionality
  • Denial-of-service (DoS/DDoS) vulnerabilities
  • Rate limiting issues on non-critical endpoints
  • Software version disclosure or banner grabbing
  • Social engineering, phishing, or physical attacks
  • Issues in third-party services (report directly to that vendor)
  • Automated scanner output without manual verification

How to Report

Email

Send your report to [email protected]

Please include:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • The affected URL, endpoint, or smart contract address
  • Your IP address and/or test account (so we can distinguish your activity from an attack)
  • Any proof-of-concept code, screenshots, or video recordings
  • Your assessment of severity (e.g. using CVSS 3.1)

Response Timeline

24 hours

We acknowledge receipt of your report and assign a tracking identifier

72 hours

We provide an initial assessment, severity classification (CVSS), and let you know if the issue is accepted

7 days

We share our remediation plan and expected resolution timeline

90 days

Maximum coordinated disclosure window — you may disclose publicly after this period if the issue remains unresolved

Guidelines for Researchers

Expected Conduct

  • Report vulnerabilities as soon as you discover them
  • Provide sufficient detail to reproduce the issue
  • Give us reasonable time to fix before any public disclosure
  • Only interact with accounts you own or have explicit permission to test
  • Delete any non-public data obtained during testing promptly
  • Act in good faith to avoid privacy violations, data destruction, and service degradation

Prohibited Actions

  • Accessing, modifying, or exfiltrating other users' data
  • Performing denial-of-service or resource exhaustion attacks
  • Sending unsolicited messages or notifications to users
  • Publicly disclosing details before the coordinated disclosure timeline
  • Using automated scanning tools that generate significant traffic
  • Placing backdoors or persistent access mechanisms in any system

Safe Harbor

When conducting security research under this policy, we consider your activity to be authorized and lawful. We commit to the following:

  • We will not initiate or recommend legal action against researchers who comply with this policy, including good-faith violations.
  • We will not pursue claims under the Computer Fraud and Abuse Act (CFAA), the EU Directive on Attacks Against Information Systems, or equivalent laws for authorized research under this policy.
  • If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take reasonable steps to make it known that your actions were authorized under our program.
  • We will work with you to understand and validate your report before taking any enforcement action if there is a misunderstanding.

This safe harbor applies only to legal claims under the control of TicketDaddy and does not bind independent third parties. If at any time you have concerns or are uncertain whether your research is consistent with this policy, please submit a report to [email protected] before proceeding further.

Recognition & Rewards

While we do not currently operate a paid bug bounty program, we deeply value the efforts of security researchers. In recognition of valid, responsibly disclosed vulnerabilities, we offer:

  • Public acknowledgment on our Security Acknowledgments page (with your consent)
  • A letter of appreciation that can be used for professional portfolios
  • At our discretion, goodwill rewards for exceptionally high-impact reports

We are evaluating a formal bounty programme and will update this page when details are available.

Questions

If you have questions about this policy or need clarification before submitting a report, contact us at [email protected]. For general security inquiries about our platform, visit our Security page.

© 2025 TicketDaddy. East Africa's Premier Ticket Platform.
License from TicketDaddy Inc.
Privacy PolicyTerms of Service