This program aims to encourage security researchers and ethical hackers to identify and report potential security vulnerabilities in our systems or applications. This will help us to improve the security of our products and services, and protect our customers' data.
The program is open to everyone, regardless of age or nationality. However, employees of our company and their immediate family members are not eligible to participate.
Only reports that meet the following requirements are eligible to receive a monetary reward:
- You must be the first reporter of the vulnerability
- The vulnerability must demonstrate security impact on a site or application in scope (see below)
- You must not have publicly disclosed the vulnerability before the report was closed
- We are not legally prohibited from rewarding you
The program's scope includes all publicly available web applications, native applications, mobile applications, and APIs owned by our company. The scope excludes client PBXes, physical security, social engineering, and any third-party applications or services that integrate with our products.
Please refrain from:
- Overusing automated tools
- DDoS/DoS attacks
- Spamming/Phishing attacks
- Accessible non-sensitive files and directories (e.g., README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc.)
- Missing flags on cookies
- Missing HTTP security headers
- Clickjacking and issues only exploitable through clickjacking
- Missing SPF, DKIM, DMARC, and CAA records in the DNS zone
- Disabled DNSSEC
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no security impact
- Descriptive error messages and patch disclosure with no security impact
- Rate limiting or brute force issues
- Software version disclosure
- Outdated software
- Reporting known-vulnerable components without proof of exploitation
- General low-severity issues reported by automated scanners
Rewards will be given based on the severity and impact of the reported vulnerability. We will follow the OWASP Risk Rating to determine the severity of the vulnerability. The minimum reward for a valid vulnerability report is $50 USD, and the maximum reward is $5,000 USD.
The highest reward may be obtained for the findings like RCE, Authentication bypass, Vertical Privilege Escalation, and SQLi.
All vulnerability reports should be submitted to firstname.lastname@example.org and contain the description and steps to reproduce or PoC. Reports submitted through other channels (such as email or social media) will not be eligible for rewards.
- Do not perform any destructive or disruptive actions, such as deleting or modifying data or disrupting our services.
- Do not share any confidential information obtained during the testing.
- Do not publicly disclose any vulnerabilities before we have had sufficient time to investigate and fix them.
- Follow the laws and regulations of your country and ours.
We appreciate your efforts in helping us to improve the security of our products and services. We reserve the right to modify or cancel the program at any time.