GuardProof Bug Bounty Program

GuardProof enjoys collaborating with the security community to identify vulnerabilities and enhance the security of our servers for the benefit of our end-users

Response Targets

GuardProof will actively strive to meet the following service level agreements for researchers who participate in our program:

Type of Response	Answer in business days
First Response	4 days
Time to Triage	4 days
Time to Bounty	14 days
Time to Resolution	Depends on severity and complexity

We will endeavor to keep you informed about our progress throughout the process.

Disclosure Policy

• Since this is a private program, please refrain from discussing the program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from the organization.

Program Rules

Please submit comprehensive reports with reproducible steps. If the report lacks sufficient detail to reproduce the issue, it will not qualify for a reward.

• Please submit one vulnerability per report, unless it's necessary to chain vulnerabilities to demonstrate their combined impact

• In cases of duplicates, we will only reward the first report received, provided that it can be fully reproduced

• Multiple vulnerabilities resulting from one underlying issue will be eligible for a single bounty reward

• Social engineering, such as phishing, vishing, and smishing, is strictly prohibited

• Make a sincere effort to prevent privacy violations, data destruction, and any disruption or degradation of our services and interact only with accounts you own or with explicit permission from the account holder

Test Plan

In the test plan, you'll have access to all source code available on our GitHub . If you wish to search for vulnerabilities or have suspicions regarding any topic, please contact us directly by sending an email.

Testing Vulnerabilities

We kindly request that you test vulnerabilities directly on our publicly accessible servers. If you require an indefinite extension of your trial for testing purposes, please don't hesitate to contact us. Please note that conducting rough testing on our primary site without prior written consent will result in a ban from our program.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please take into account (1) the attack scenario and exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

• Reflected & Stored cross-site scripting within your own project dashboard is out-of-scope.

• Clickjacking on pages with no sensitive actions

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Attacks requiring MITM or physical access to a user's device

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability

• Missing best practices in SSL/TLS configuration

• Any activity that could lead to the disruption of our service (DoS)

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

  • Also excluded from this are content spoofing and text injection issues from within a projects dashboard as we allow project owners to write JS on their projects

• Rate limiting or bruteforce issues on non-authentication endpoints

• Missing best practices in Content Security Policy

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• Password or account policies, such as password complexity

• Issues that require unlikely user interaction

Safe Harbor

Any activity conducted in compliance with this policy will be deemed authorized conduct, and we will not pursue legal action against you. If a third party initiates legal action against you in connection with activities carried out under this policy, we will take measures to publicly acknowledge that your actions were in compliance with this policy.

Thank you for your assistance in ensuring the safety of GuardProof and our users!

Rewards

Low	Medium	High	Critical
$50	$100	$250	$500