Rows – BBP

Overview

Rows is committed to ensuring the security of our platform and user data. Through our Bug Bounty Program, hosted on the Huntbug crowdsourced security platform, we invite security researchers to identify and report vulnerabilities in our systems. Your efforts help keep Rows secure, and eligible reports may qualify for rewards.

Program Summary

• Scope: Vulnerabilities on rows.com and its latest publicly available platform.

• Reporting: Submit reports via Huntbug’s platform

• Compliance: Rows is SOC 2 Type II and GDPR compliant, with data encrypted at rest (256-bit AES) and in transit (HTTPS TLS).

• Privacy: User data is never used to train AI models, and you retain control over your data.

• More Info: See our documentation and privacy policy on rows.com.

Security Commitment

At Rows, we prioritize the security of your data, ensuring our spreadsheet platform is a trusted solution for all users. Hosted on Huntbug, our Bug Bounty Program leverages the expertise of the global security community to identify potential vulnerabilities.

Our platform undergoes regular security audits, including by integration partners like Google and Facebook. All data, including backups, is encrypted at rest using 256-bit AES encryption, and data in transit is secured with HTTPS TLS protocols. Payment data is protected through Stripe’s robust security measures.

Compliance

Rows adheres to rigorous data protection standards:

• GDPR Compliant: We process personal data in compliance with GDPR, respecting user privacy globally.

• SOC 2 Type II Certified: Our systems meet strict criteria for security, availability, and confidentiality.

Bug Bounty Program Details

Rewards

Rewards are issued at Rows’ discretion, based on the severity of the reported vulnerability, and paid exclusively via PayPal.

Use the CVSS calculator to assess severity and include the output in your report.

Eligibility

To qualify for a reward:

• The issue must affect the latest public version of rows.com.

• You must be the first to report the issue—duplicates are ineligible.

• Provide a proof of concept demonstrating exploitability.

• Do not disclose the issue publicly without Rows’ consent.

• Include detailed reproduction steps, a video, or a how-to guide.

• The issue must be in scope (see below).

In Scope

• Vulnerabilities on rows.com and its subdomains.

• Issues impacting the confidentiality, integrity, or availability of user data or platform functionality.

Out of Scope

The following are generally excluded:

• Automated scan outputs without validation.

• Non-security bugs (e.g., UI glitches, broken links).

• SMTP issues (e.g., SPF/DKIM/DMARC misconfigurations).

• Clickjacking without a practical exploit.

• Missing DNSSEC.

• SSL/TLS best practices (e.g., BEAST, BREACH) without a realistic exploit.

• Missing cookie security flags unless exploitable.

• Information disclosure of public data (e.g., software versions) without a direct vulnerability.

• Third-party service vulnerabilities (e.g., Discourse, HelloNext) unless directly exploitable.

• Missing HTTP security headers (e.g., Content-Security-Policy, HSTS) without an exploit.

• Self-XSS vulnerabilities.

• Missing best practices (e.g., autocomplete attributes) without a vulnerability.

• Social engineering attacks (e.g., phishing).

• Brute force or rate-limiting issues.

• Denial of Service (DoS) attacks.

• Content spoofing or text injection without an exploitable payload.

• Host header injection without a specific exploit.

• Software version disclosure unless tied to a known, exploitable vulnerability.

• Missing CSRF tokens on non-sensitive pages.

• Issues affecting outdated browsers.

• Vulnerabilities requiring excessive user interaction.

How to Report

Submit reports through Huntbug’s platform or email security@rows.com with:

• A detailed description of the issue.

• Proof of concept, video, or reproduction steps.

• CVSS calculator output.

• Self-assessed severity.

• Any additional relevant information.

Encrypt email reports using our PGP key, available on rows.com. By submitting a report, you grant Rows GmbH a perpetual, irrevocable, no-charge license to all intellectual property rights related to the submission. Notify us if the material involves third-party intellectual property.

We aim to respond within 3 business days.

Spam Prevention

To ensure the quality of submissions:

• Avoid raw automated scan reports—validate findings and provide proof of concept.

• Focus on high-quality, detailed reports over quantity.

• Repeated low-quality, out-of-scope, or duplicate submissions may result in temporary or permanent exclusion from the program.

Thank You

We appreciate your contributions to keeping Rows secure. By participating in our Bug Bounty Program on Huntbug, you help protect our users and platform.