GuardProof Bug Bounty Program
GuardProof enjoys collaborating with the security community to identify vulnerabilities and enhance the security of our servers for the benefit of our end-users
Response Targets
GuardProof will actively strive to meet the following service level agreements for researchers who participate in our program:
| Type of Response | Answer in business days |
|---|---|
First Response | 4 days |
Time to Triage | 4 days |
Time to Bounty | 14 days |
Time to Resolution | Depends on severity and complexity |
We will endeavor to keep you informed about our progress throughout the process.
Disclosure Policy
Since this is a private program, please refrain from discussing the program or any vulnerabilities (even resolved ones) outside of the program without explicit consent from the organization.
Program Rules
Please submit comprehensive reports with reproducible steps. If the report lacks sufficient detail to reproduce the issue, it will not qualify for a reward.
Please submit one vulnerability per report, unless it's necessary to chain vulnerabilities to demonstrate their combined impact
In cases of duplicates, we will only reward the first report received, provided that it can be fully reproduced
Multiple vulnerabilities resulting from one underlying issue will be eligible for a single bounty reward
Social engineering, such as phishing, vishing, and smishing, is strictly prohibited
Make a sincere effort to prevent privacy violations, data destruction, and any disruption or degradation of our services and interact only with accounts you own or with explicit permission from the account holder
Test Plan
In the test plan, you'll have access to all source code available on our GitHub . If you wish to search for vulnerabilities or have suspicions regarding any topic, please contact us directly by sending an email.
Testing Vulnerabilities
We kindly request that you test vulnerabilities directly on our publicly accessible servers. If you require an indefinite extension of your trial for testing purposes, please don't hesitate to contact us. Please note that conducting rough testing on our primary site without prior written consent will result in a ban from our program.
Out of Scope Vulnerabilities
When reporting vulnerabilities, please take into account (1) the attack scenario and exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
Reflected & Stored cross-site scripting within your own project dashboard is out-of-scope.
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Missing best practices in SSL/TLS configuration
Any activity that could lead to the disruption of our service (DoS)
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Also excluded from this are content spoofing and text injection issues from within a projects dashboard as we allow project owners to write JS on their projects
Rate limiting or bruteforce issues on non-authentication endpoints
Missing best practices in Content Security Policy
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Password or account policies, such as password complexity
Issues that require unlikely user interaction
Safe Harbor
Any activity conducted in compliance with this policy will be deemed authorized conduct, and we will not pursue legal action against you. If a third party initiates legal action against you in connection with activities carried out under this policy, we will take measures to publicly acknowledge that your actions were in compliance with this policy.
Thank you for your assistance in ensuring the safety of GuardProof and our users!
Rewards
| Low | Medium | High | Critical |
|---|---|---|---|
$50 | $100 | $250 | $500 |
Last updated