Security Vulnerability Reporting
Security issues within our product offerings take a very high priority. We want to work with you to understand the scope of the vulnerability and ensure that we correct the problem fully.
In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Bugify. Principles of responsible disclosure include, but are not limited to:
- Accessing or exposing only customer data that is your own.
- Avoiding destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the servers).
- Keeping within the guidelines of our Terms Of Service.
- Keeping details of vulnerabilities confidential until we have been notified and had a reasonable amount of time to fix the vulnerability, and further time to allow our customers a reasonable amount of time to upgrade.
In order to be eligible for a bounty, your submission must be accepted as valid by Bugify. We use the following guidelines to determine the validity of requests and the reward compensation offered:
- Reproducibility - Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.
- Severity - More severe bugs will be met with greater rewards. We are most interested in vulnerabilities with the Bugify web app and bugify.com. Rewards are offered at our discretion.
- support.bugify.com is a third-party service and is specifically excluded from the program.
- Only 1 bounty will be awarded per vulnerability.
- If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
- We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.
Contact us via the email address [email protected] with a detailed report of the potential vulnerability. This email should include as much of the following as possible:
- Type of vulnerability.
- Whether the information has been published or shared with others.
- Affected products/websites and versions.
- Affected configurations if applicable.
- Step-by-step instructions/proof-of-concept codes to replicate the issue.
Once submitted, we will acknowledge that we have received your report with a non-automated reply within 7 days and provide an outline response plan where applicable.
We will then review the information and work to validate the reported vulnerability. In the event that a true vulnerability is discovered we will complete the investigation and notify the reporter. Where appropriate the reporter will receive results of the vulnerability findings, a plan for resolution and plans for public disclosure.
We would like to acknowledge the following people who have responsibly disclosed security vulnerabilities in the past. Thank you for your help in keeping our customers safe.
- Aditya Agrawal
- Juan Broullón Sampedro
- Anand Prakash
- Roy Jansen
- Shivam Kumar Agarwal, Nithish Varghese and Sahil Srivastava
- Hugh Davenport - All The Things Ltd
Note: While we sincerely appreciate reports for vulnerabilities of all severity levels, this listing is reserved for people who have reported previously unknown vulnerabilities, which we have determined to be of a high or critical severity, or in cases where there has been continued research or other contributions made by the person.