Bounty Program Info
The security of our users’ data and the integrity of our system is our highest priority. We design, build and test our software and infrastructure with this goal. The tech space changes rapidly and we recognize that vulnerabilities present themselves and we want to stop that as soon as possible. We have a reward program to help put our security to the test while also hoping to build meaningful connections with the best of the best. We offer payments electronically or can contribute to a charity in your name or a scholarship.
Please follow a few guidelines:
- Please be a good citizen: Do not disturb the service. Follow the ToS. Avoid automated testing.
- If you gain access to our system, report it immediately.
- Only test with your data. Do not interact with other accounts.
- Do not publish any information regarding the vulnerability until we fix it.
- We only award one bounty per vulnerability. If we receive multiple reports, the first one will receive the reward. However if your report is of the same but presents alternative solutions, we will consider your report as a new idea.
- If you want to email us send to email@example.com or text us at 214-625-9023
What we’re looking for
We’re looking for any security exploit. But we’ll be extra generous with:
- Tampering data of other users. For example, this could be extracting or modifying someone’s leads. Please note only proving an account exists isn’t enough.
- Bypassing our API’s security: If you’re able to go a lot beyond your quota of requests per month or avoid authentication altogether.
- Cross-site scripting (XSS)
- Server-side code execution
- Getting Data from a Team Member
- Getting Data from the WWW
Please keep in mind this bounty program doesn’t concern regular bugs in our application, but only security flaws allowing intruders to gain access to data of other users. If you wish to report a regular bug, firstname.lastname@example.org
Examples of Non-Qualifying exploits
- Mixed-content scripts
- Social engineering
- Failures to adhere to “best practices” (for example, common HTTP headers, link expiration, email-validation or password policy)
- Data published via the company through approved publishers.
Examples of Non-Qualifying reports
These are theoretical vulnerabilities we’re aware of, but we decided they didn’t present any risk in our case:
- Non-expiring session cookie: Funnel Science is protected through the use of HTTPS and our inclusion in the HSTS preload list of major browsers.
Our reward system is flexible and doesn’t have any set upper or lower limit payment limits. This means severe bugs will be rewarded accordingly. In addition we pay for creative solutions that improves or enhances the system for all users. The amount will exclusively depend on the creativity or severity of the issue which you report. If we many any updates to our system or practices based on your report, we will pay you a Research Reward.
Rewards will be sent using Check, Paypal or Crypto once the vulnerability has been fixed. These services collect a fee for processing the transaction, which gets deducted from the amount awarded.
Please submit your report via email. We answer all submissions within a few days and most of the time the same day. Once the patch is online, we’ll pay your bounty/reward using PayPal or other platform. If you have any questions regarding the program, please contact us at email@example.com
Dane Kuiper PhD
Hall of Fame
Robert G | $300