Security Bug Bounty Policy
Thank you for helping us improve the security of our products and services. We welcome responsible disclosure of security vulnerabilities and will make every effort to acknowledge your contributions.
If you believe you have discovered a security vulnerability in any of our products or services, we encourage you to notify us. We will work with you to verify the vulnerability and patch it as soon as possible.
To report a vulnerability, please send an email to security@safello.com with a description of the issue, description of how to reproduce it and any relevant supporting information. All sensitive communication must be encrypted and signed using PGP. Please also let us know if you wish to be recognized in our Hall of Thanks, and if so, specify the name or handle you prefer us to use.
Reward Program
We will pay a bounty for eligible security vulnerabilities based on the severity and impact of the issue. Severity will be determined by our in-house security team based on industry standard guidelines. Bounties will be paid out in accordance with the assessment of our security team and our reward guidelines.
Reward Guidelines
1. Rewards will vary based on the severity and potential impact of the vulnerability.
2. We appreciate responsible disclosure. Please do not share the issue with others until it has been resolved.
3. Only submit reports for vulnerabilities that have not been previously reported.
Scope
Our Bug Bounty Program covers all aspects of Safello operations. This includes all the apps and APIs.
Please focus your testing on these areas.
Responsible Disclosure
We expect all participants to adhere to responsible disclosure practices.
This means you should not exploit the vulnerability for any reason other than to demonstrate the security issue.
Eligibility
To be eligible for a bounty, you must:
• Be the first person to responsibly disclose the vulnerability to us.
• Not publicly disclose the vulnerability before we have had a reasonable opportunity to patch the issue.
• Not have worked or been a consultant for Safello, either currently or in the past.
Exclusions
The following issues are not eligible for a bounty:
• Vulnerabilities that have already been reported or fixed.
• Vulnerabilities in third-party software or libraries.
• Denial of Service attacks.
• Spam or social engineering techniques.
Disclaimer
This program is for testing the security of our products and services. You should not violate any laws or violate any user's privacy in your testing. We reserve the right to cancel or modify the program at any time.