Bug Bounty Programme

UPDATE: As of January 2021, the public Nickelled Bug Bounty programme is suspended. We will no longer offer bounties for reports submitted by unauthorised researchers, even if they are deemed to be valid.

We are recruiting a small number of experienced security researchers as authorised researchers, to work with over a long-term period. You will be bound by the terms of the Nickelled Bug Bounty programme (below) and will be required to conduct research on non-production systems only.

If you wish to register your interest in becoming an authorised researcher, you may submit the form available online online here. If you are authorised by our development team, you will be notified within 14 days. We regret that we will not be able to respond to all requests and if you do not hear from us, you will not be authorised.

No other submissions will be eligible for a bounty.

We welcome feedback from software security researchers on how to make our services (Nickelled and Qloaked) better. If you've discovered something we need to know about, we want to hear from you.

However, we have some ground rules which are designed to protect our business and your time. Please have a read of the following BEFORE you attempt to contact us with your report.

When you’re ready, submit your report to security@nickelled.com.

Ground Rules

We treat each responsible disclosure on a case by case basis. However, please note that in order to be eligible for a bounty:

  • You must be the first to report an issue
  • You must provide reproducible steps
  • You must give us reasonable time to respond before you disclose any information about your report
  • You must remain available to provide any further required information
  • You must not maliciously exploit any security issue which you uncover

Types of Report

We will not consider bug bounty payments for any of the following types of report:

  • Denial of Service/Spam
  • Disclosure of known public files
  • Outdated libraries
  • Attacks requiring social engineering or access to any kind of personal information (such as phishing)
  • Any other non-technical report
  • Use of libraries already known to be vulnerable
  • UI redressing attacks
  • Use of brute-force or methods of 'breaking and entering'
  • Issues with software not owned/controlled by Nickelled
  • Speculative reports
  • Reports recommending 'best practice'
  • Reports already publicly disclosed (whether affecting Nickelled or a third party)
  • Browser compatibility issues
  • Missing HTTP headers or other theoretical issues with in-transit data

What to include in your report

To be eligible for a bounty, researchers must include the following information in submitted reports:

  • Your name
  • Organization name
  • Contact telephone
  • Product affected
  • Description of the potential vulnerability
  • Supporting technical details, such as proof of concept, screenshots, traces, code snippets, code description, steps to reproduce
  • Disclosure plans, if any

Our Commitment to You

We treat all reports with the highest priority. If you submit a report, you can expect the following levels of service under this programme.

  • An acknowledgement of the issue within 120 hours
  • Direct contact with a member of our infrastructure team within 48 hours of the acknowledgement
  • A decision on the eligibility of your report for a bounty within five working days after the direct contact
  • A payment under the programme within 30 days of the decision on eligibility
  • Resolve the qualifying issue within 90 days of your first report. More complex issues may take longer to resolve.

Bounty Amount

The minimum bounty amount for an eligible disclosure is $15 and the maximum is $50. Bounty amounts are determined at our discretion, taking into account the severity, impact and quality of the issues raised in your report.

We expect you to provide a legal invoice with valid international banking details if a bounty payment is to be paid. For legal reasons, we can't make payments to anonymous or untraceable individuals or e-wallets such as Paypal.

Play Fair

While we welcome reports, we expect security researchers to play fair. We reserve the right to take legal action against any individual or company that intentionally penetrates, degrades or accesses any part of our network without prior authorisation.

Researches should NOT conduct, or attempt to conduct, any of the following activities:

  • Accessing third-party user data
  • Degrading network performance
  • Using automated tools such as scanners or fuzzers
  • Attempting physical attacks on our infrastructure, staff, or users