Reward Program
We will pay a bounty for eligible security vulnerabilities based on the severity and impact of the issue. Severity will be determined by our in-house security team based on industry standard guidelines. Bounties will be paid out in accordance with the assessment of our security team and our reward guidelines.
Reward Guidelines
1. Rewards will vary based on the severity and potential impact of the vulnerability.
2. We appreciate responsible disclosure. Please do not share the issue with others until it has been resolved.
3. Only submit reports for vulnerabilities that have not been previously reported.
Scope
Our Bug Bounty Program covers all aspects of Safello. This includes the website, API, and any associated services.
Please focus your testing on these areas.
Responsible Disclosure
We expect all participants to adhere to responsible disclosure practices.
This means you should not exploit the vulnerability for any reason other than to demonstrate the security issue.
Eligibility
To be eligible for a bounty, you must:
• Be the first person to responsibly disclose the vulnerability to us.
• Not publicly disclose the vulnerability before we have had a reasonable opportunity to patch the issue.
• Not have worked or been a consultant for Safello, either currently or in the past.
Exclusions
The following issues are not eligible for a bounty:
• Vulnerabilities that have already been reported or fixed.
• Vulnerabilities in third-party software or libraries.
• Denial of Service attacks.
• Spam or social engineering techniques.
Disclaimer
This program is for testing the security of our products and services. You should not violate any laws or violate any user's privacy in your testing. We reserve the right to cancel or modify the program at any time.