Any design or implementation issue that substantially affects the confidentiality or integrity of user data (except when done yourself) is likely to be in scope. This includes:
If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.
Using automated tests will automatically disqualify you from all bug bounties and will result in account termination.
Rewards for qualifying bugs range from $100 to $1,000, sent to your PayPal account. The following table outlines the usual rewards given for the most common classes of bugs:
|up to 100$||Vulnerabilities that compromise third party user data (ie. you can edit a 3rd party user profile data)|
|up to 500$||Vulnerabilities that globally compromise user accounts (ie. you can authenticate as any 3rd party user, you can delete any 3rd party account, you can change the email or password of any 3rd party account, ...)|
|up to 1000$||Vulnerabilities that compromise Spreaker’s private data and servers (ie. you can access the source code, query the database, get a shell on a server, ...)|
IMPORTANT: rewards payments are sent only via PayPal. We do not make exceptions.
If you discover any vulnerabilities, please send an email containing a working proof-of-concept at firstname.lastname@example.org.