Vulnerability Disclosure Policy
TAP welcomes responsible disclosure of vulnerabilities. This policy describes the rules governing it and how to submit a report to us. Please note that TAP may change this policy, from time to time.
You, a security researcher willing to contribute to the discovery of security vulnerabilities in our applications, should read this policy before engaging in such activity, and follow the rules described herein.
- TAP does not offer financial compensation for the submission of vulnerabilities.
- TAP may allow to being named as a reference under the conditions mentioned in the publication rules.
- We ask you not to publish the vulnerability before TAP confirms its resolution.
- We ask you to obtain our written approval for publication.
- We ask you to omit or redact confidential information in the publication.
- The following domains: www.flytap.com, booking.flytap.com, myb.flytap.com, store.flytap.com, bidmiles-and-go.flytap.com, www.tapcorporate.com, corporatebooking.flytap.com, www.tapairportugal.com, www.tapme.pt, www.tapcargo.com, www.cartaocreditomilesandgo.flytap.com, cartoesdecredito.flytap.com.
- TAP Air Portugal mobile App (IOS and Android).
- Any domain not specifically included in the scope.
- Any other application, whether mobile, web or other not included in scope.
- Vulnerabilities in integrated services belonging to other companies.
- Automated scans.
- Performance or stress tests, and tests that may cause disruptions, including denial-of-service tests (DoS or DDoS).
- Attacks on TAP’s employees or users, including social engineering, extortion, spamming or phishing.
- Physical security compromises.
- Introduction of backdoors or any persistent access.
- Introduction of changes to systems or applications.
- Modifying or deleting data in systems or applications.
- Output of automated scans.
- Security best practices, such as security headers, cookie flags.
- Insecure SSL/TLS versions or Ciphers.
- SPF, DKIM, and DMARC related configurations.
- Vulnerabilities with minimal impact.
- A vulnerability already reported or detected by TAP’s own means.
- Act in good faith and comply with applicable law.
- Do not violate data privacy, integrity, or availability.
- Do not extract data.
- Promptly report any discovered vulnerability solely to TAP.
- Perform the testing activities only to the extent necessary to confirm the vulnerability. Stop as soon as You can prove its existence.
- If you are not sure that the testing activities will not cause damage to TAP, stop your testing and contact us.
- Provide us sufficient details to reproduce the vulnerability.
- Allow us a reasonable time to analyse, reproduce and fix the vulnerability.
- Provide us the report in english or portuguese.
- Email us using this address: [email protected].
- We strongly recommend that you encrypt the report using our PGP public key [published here].
- To respond in a timely manner and acknowledge the receipt of your report.
- To work with You to understand and validate your findings as well as discuss issues.
- To develop measures to remedy the discovered vulnerabilities in a timely manner.
- To notify You when the vulnerability has been fixed.
TAP will only use your personal data to contact you within the scope of your vulnerability report.
However, on a need-to-know basis, we may disclose your personal data to our business partners, but always in compliance with the personal data legislation in force.
We will retain your personal data for not longer than 1 year, after the process is finished.
However, on a need-to-know basis, we may disclose your personal data to our business partners, but always in compliance with the personal data legislation in force.
We will retain your personal data for not longer than 1 year, after the process is finished.