UPDATE: As of January 2021, the public Nickelled Bug Bounty programme is suspended. We will no longer offer bounties for reports submitted by unauthorised researchers, even if they are deemed to be valid.
We are recruiting a small number of experienced security researchers as authorised researchers, to work with over a long-term period. You will be bound by the terms of the Nickelled Bug Bounty programme (below) and will be required to conduct research on non-production systems only.
If you wish to register your interest in becoming an authorised researcher, you may submit the form available online online here. If you are authorised by our development team, you will be notified within 14 days. We regret that we will not be able to respond to all requests and if you do not hear from us, you will not be authorised.
No other submissions will be eligible for a bounty.
We welcome feedback from software security researchers on how to make our services (Nickelled and Qloaked) better. If you've discovered something we need to know about, we want to hear from you.
However, we have some ground rules which are designed to protect our business and your time. Please have a read of the following BEFORE you attempt to contact us with your report.
When you’re ready, submit your report to firstname.lastname@example.org.
We treat each responsible disclosure on a case by case basis. However, please note that in order to be eligible for a bounty:
We will not consider bug bounty payments for any of the following types of report:
To be eligible for a bounty, researchers must include the following information in submitted reports:
We treat all reports with the highest priority. If you submit a report, you can expect the following levels of service under this programme.
The minimum bounty amount for an eligible disclosure is $15 and the maximum is $50. Bounty amounts are determined at our discretion, taking into account the severity, impact and quality of the issues raised in your report.
We expect you to provide a legal invoice with valid international banking details if a bounty payment is to be paid. For legal reasons, we can't make payments to anonymous or untraceable individuals or e-wallets such as Paypal.
While we welcome reports, we expect security researchers to play fair. We reserve the right to take legal action against any individual or company that intentionally penetrates, degrades or accesses any part of our network without prior authorisation.
Researches should NOT conduct, or attempt to conduct, any of the following activities: