Bug Bounty Programme
We welcome feedback from software security researchers on how to make our services (Nickelled and Qloaked) better. If you've discovered something we need to know about, we want to hear from you.
However, we have some ground rules which are designed to protect our business and your time. Please have a read of the following BEFORE you attempt to contact us with your report.
When you’re ready, submit your report to firstname.lastname@example.org.
We treat each responsible disclosure on a case by case basis. However, please note that in order to be eligible for a bounty:
- You must be the first to report an issue
- You must provide reproducible steps
- You must give us reasonable time to respond before you disclose any information about your report
- You must remain available to provide any further required information
- You must not maliciously exploit any security issue which you uncover
Types of Report
We will not consider bug bounty payments for any of the following types of report:
- Denial of Service/Spam
- Disclosure of known public files
- Outdated libraries
- Attacks requiring social engineering or access to any kind of personal information (such as phishing)
- Any other non-technical report
- Use of libraries already known to be vulnerable
- UI redressing attacks
- Use of brute-force or methods of 'breaking and entering'
- Issues with software not owned/controlled by Nickelled
- Speculative reports
- Reports recommending 'best practice'
- Reports already publicly disclosed
- Browser compatibility issues
What to include in your report
To be eligible for a bounty, researchers must include the following information in submitted reports:
- Your name
- Organization name
- Contact telephone
- Product affected
- Description of the potential vulnerability
- Supporting technical details, such as proof of concept, screenshots, traces, code snippets, code description, steps to reproduce
- Disclosure plans, if any
Our Commitment to You
We treat all reports with the highest priority. If you submit a report, you can expect the following levels of service under this programme.
- An acknowledgement of the issue within 120 hours
- Direct contact with a member of our infrastructure team within 48 hours of the acknowledgement
- A decision on the eligibility of your report for a bounty within five working days after the direct contact
- A payment under the programme within 30 days of the decision on eligibility
- Resolve the qualifying issue within 90 days of your first report. More complex issues may take longer to resolve.
The minimum bounty amount for an eligible disclosure is $50 and the maximum is $250. Bounty amounts are determined at our discretion, taking into account the severity, impact and quality of the issues raised in your report.
We expect you to provide a legal invoice with valid international banking details if a bounty payment is to be paid. For legal reasons, we can't make payments to anonymous or untraceable individuals or e-wallets such as paypal.
While we welcome reports, we expect security researchers to play fair. We reserve the right to take legal action against any individual or company that intentionally penetrates, degrades or accesses any part of our network without prior authorisation.
Researches should NOT conduct, or attempt to conduct, any of the following activities:
- Accessing third-party user data
- Degrading network performance
- Using automated tools such as scanners or fuzzers
- Attempting physical attacks on our infrastructure, staff, or users