Researcher Guidelines

Our mission is to create a transparent, safe, and productive environment for collaboration.

1. Our Philosophy

We believe that collaborationwith security researchers is a cornerstone of protecting modern digital systems. We recognize the value of your time and effort and promise to respect your work. Our shared goal is to make cyberspace safer.

Golden Rule: Act as a partner. Test responsibly without causing harm, and report your findings only to us. In return, we guarantee fair evaluation and appropriate rewards.

2. Scope and Rules of Engagement

Strict adherence to these rules is required to participate in our programs.

Allowed and encouraged:
  • Test only the assets listed in the program's Scope.
  • Submit clear, detailed reports with reproducible steps (Proof of Concept).
  • Immediately report critical vulnerabilities.
  • Maintain full confidentiality until authorized disclosure.
Strictly prohibited:
  • Any activity that may cause denial-of-service (DoS/DDoS).
  • Social engineering, phishing, or spamming.
  • Accessing, altering, or deleting data that does not belong to you. If you unintentionally access sensitive data, stop immediately and report it.
  • Public disclosure of vulnerabilities without our written approval.

3. Process: From Report to Reward

1. Report Submission

You submit a detailed report via our platform.

2. Validation

Our triage team reviews and validates the finding.

3. Reward

Once confirmed, you receive your payout.

4. Remediation

We pass the report to the client for fixing.

4. Vulnerability Qualification

We reward reports covering a wide range of vulnerabilities.

Out of Scope (examples):

Out of Scope (examples):

  • Automated scan results without proof of exploitability.
  • Missing best practices (e.g., absent HTTP headers).
  • Software version disclosures.
  • Self-XSS (exploitable only against the reporting user).
  • SPF/DKIM/DMARC configuration issues.
  • Clickjacking on non-sensitive, unauthenticated pages.

5. Rewards

Payouts are based on the business impact and severity of the vulnerability. Rewards go to the first reporter who submits a valid, high-quality report for a unique issue.

6. Legal Status & Safe Harbor

We stand behind researchers who act responsibly.

If your security testing is conducted within the boundaries of this policy, your activity will be considered authorized. We commit not to initiate or support any legal action against you for your research.

Thank you for helping us make the world a safer place!