We value your security
At Rows, we know that we have to be a spreadsheet that you can entrust with any type of data. As such, we place the highest priority on ensuring the security of your data.
We follow state-of-the-art security practices, as some of our integration partners, for example, Google or Facebook, perform security audits of our platform.
Your data, including backed-up data, is encrypted at rest, that is when it’s stored on our servers, using 256-bit AES encryption. When sending data from your spreadsheet to our servers, we use HTTPS TLS protocols.
Your credit card data is additionally protected using Stripe’s security procedures.
Vulnerability bounty program
In case you discover a security vulnerability in Rows' website or platform, please report it to Rows' Security team by sending an email to security@rows.com. Your report might be eligible for a reward. Please see the details of our bounty program below.
Rewards
At Rows, we provide rewards to vulnerability reporters at our discretion. The reward amounts are calculated based on the category/severity of each reported issue and are paid out only via PayPal.
| Severity | Value |
|---|---|
| Low | $100 |
| Medium | $150 |
| High | $250 |
| Critical | $1000 |
Before you submit a new issue, you should calculate the issues' severity using the CVSS calculator and attach the output when sending the issue report.
Eligibility
Here are our eligibility requirements for rewards:
- The issue must occur on the latest publicly available website/app of rows.com.
- You should be the first one to report the issue - We don't reward an issue that has already been reported.
- The issue must be real, not a situation described as hypothetical.
- You can't disclose the issue publicly without Rows' consent.
- It's recommended you have a video, how to or information to help the Rows team to reproduce the problem.
- The issue must be in scope (see below).
Out of scope
We do not accept reports that are simply the output from an automated security scanner. Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight.
Here are some areas we generally consider to be out of scope:
- Feature bugs.
- Vulnerabilities in third-party code or services that do not lead to an exploit.
- Any kind of vulnerabilities in third-party services like Discourse (which we use for our forum), HelloNext (to collect feedback) etc.
- Missing HTTP security headers, such as:
- Content-Security-Policy
- Feature-Policy
- HTTP Strict Transport Security
- HTTP Public Key Pinning
- X-Content-Type-Options
- X-XSS-Protection
- Referrer-Policy
- P3P
- Certificate Transparency (Expect-CT)
- X-Download-Options
- X-DNS-Prefetch-Control
How to report an issue
To report an issue, you should send us an email to security@rows.com with all the detail below:
- Issue description.
- How to, video or proof of concept.
- CVSS calculator output.
- Self-assessed severity.
- Any other information you consider useful for the Rows team.
- Encrypt your email report with our PGP key.
By submitting a vulnerability report to Rows, you grant to Rows GmbH, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.
Thank you for helping keep Rows and our customers safe.