Testing is only authorized on the targets listed as In-Scope. Any domain/property of Bright Security not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
This program excludes (regardless of coverage indicated above):
- External SSRF
- Anything related to Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM, etc.)
- Brute Force attacks on our Login or Forgot Password pages
- Account lockout enforcement
- Internal IP address disclosure
- Username / Email Enumeration
- No Captcha / Weak Captcha / Captcha Bypass
- Missing HTTP security headers
- Cookie Issues
- SSL Issues
- Weak password policies (length, complexity, etc.)
- Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Bright Security’s platform
- Vulnerabilities that require social engineering
- WordPress “issues” such as xmlrpc that are mitigated by our hosting provider
- Out-of-date browsers and plugins
- Vulnerabilities in 3rd party applications that do not directly affect our data or service
- Spam of any kind
- Denial of service attacks
- Issues already known by us or previously reported to us by others
- Issues that we have determined to be of acceptable risk
Submissions containing issues related to the above list of exclusions will not be eligible for reward. If you have found a vulnerability that is excluded by our program, you may still report it as part of our vulnerability disclosure program.
The rules of responsible disclosure of vulnerabilities include, but are not limited to:
- Avoid accessing, exploiting, or exposing any customer data other than your own.
- Avoid any action that may cause a degradation of our services, or will harm our customers (for example overloading our systems)
- Do not use any social engineering techniques, such as sending phishing emails to Bright Security’s employees, partners, or customers
- When methods are used that do not comply with your local law and/or the above-mentioned responsibility rules, enforcement authorities will be notified
Our security team and engineers must be able to reproduce the reported security flaw. Make sure your report is clearly written and includes all the necessary information so we can reproduce the flaw. Please include:
- Type of vulnerability
- When applicable, include the URL
- The potential impact of the vulnerability
- Step-by-step instructions to reproduce the issue, including any proof-of-concept or exploit code to reproduce
- Screenshots and/or videos illustrating the vulnerability
Definition of a Vulnerability
To be eligible for a reward, your finding must be considered valid by the Bright Security security team.
We base all payouts on impact and will reward accordingly. Please emphasize the impact as part of your submission.
We are particularly interested in:
- Major exposures around customer data leak
- Issues that result in full compromise of a system
- Business logic bypasses resulting in significant impact
- Major operational failure (excluding Denial of Service related submissions)
Keep in mind:
- Only one bounty will be awarded per vulnerability
- If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
- Our reward system is flexible. We have no minimum or maximum amounts as rewards are based on severity, impact, and report quality.
- Vulnerabilities affecting our platform or platform-related plugins typically have a higher impact.
You can contact us via email@example.com to report any vulnerability or if you have questions about this program.
Bright Security understands the importance of disclosure of vulnerabilities and we are happy to allow disclosure in certain instances.
- You must receive explicit permission from Bright Security if you would like to disclose any finding or vulnerability. This includes any findings listed on the program exclusion list above.
- You may not discuss any vulnerabilities with anyone or on any forum outside of Bright Security’s bug bounty program, unless getting permission from Bright Security.
- Reports that are not considered valid vulnerabilities (Informative, Spam, etc) are not eligible for disclosure.
- Only resolved reports are eligible for disclosure.
- The request for disclosure must be made by the bug bounty hunter who originally reported the vulnerability to Bright Security.
- Duplicate reports are not eligible for disclosure.
To request permission for disclosure, you may email firstname.lastname@example.org.
Bright Security has the right to approve or deny the request for any reason.
Violation of Terms
By participating in Bright Security’s bug bounty program, you are agreeing to this policy.
If any of the rules of this disclosure policy are broken, Bright Security has the right to legal action against the person who violated the rules. That person will also be banned from all future participation in the Bright Security bug bounty program.