Security and permissions

Bug Bounty Program

Introduction

Welcome to Pullpo's Bug Bounty Program! We are committed to ensuring the security and integrity of our platform. We believe in the power of collaborative security and invite security researchers, ethical hackers, and IT professionals to help us identify and resolve potential vulnerabilities in our systems.

Program Scope

This bug bounty program covers the following Pullpo assets:

  • Main website: https://www.pullpo.io
  • Pullpo web application
  • Pullpo API endpoints

Out of Scope

The following are considered out of scope for this program:

  • Third-party services or websites
  • Physical security vulnerabilities
  • Social engineering attacks
  • Denial of Service (DoS) attacks

Vulnerability Types

We are particularly interested in the following types of vulnerabilities:

  1. Remote Code Execution (RCE)
  2. SQL Injection
  3. Cross-Site Scripting (XSS)
  4. Cross-Site Request Forgery (CSRF)
  5. Authentication or Authorization Flaws
  6. Server-Side Request Forgery (SSRF)
  7. Information Disclosure
  8. Business Logic Flaws

Reporting a Vulnerability

To report a vulnerability, please send an email to [email protected] with the following information:

  1. A detailed description of the vulnerability
  2. Steps to reproduce the issue
  3. Proof of Concept (PoC) if applicable
  4. Impact of the vulnerability
  5. Suggested mitigation or fix (if known)

Please allow up to 48 hours for an initial response to your report.

Rewards

Rewards for valid and previously unreported vulnerabilities will range from $0 to $500, depending on the risk and impact of the vulnerability detected. The final reward amount will be determined by our security team based on the following factors:

  • Severity of the vulnerability
  • Quality of the report
  • Potential impact on our users and systems
  • Complexity of exploitation

Rules and Guidelines

  1. Do not attempt to exploit vulnerabilities beyond what is necessary to demonstrate the issue.
  2. Do not access, modify, or delete data that does not belong to you.
  3. Do not conduct tests that could degrade or disrupt our services.
  4. Keep all information about vulnerabilities confidential until they have been resolved.
  5. Do not share or disclose any information about the vulnerability until we have addressed it and given permission to disclose.

Safe Harbor

We pledge not to pursue legal action against researchers who:

  1. Make a good faith effort to comply with this policy
  2. Do not violate any laws
  3. Do not compromise user privacy or safety

Acknowledgments

We appreciate the efforts of all security researchers who contribute to making Pullpo more secure. With your permission, we will acknowledge your contribution on our security acknowledgments page once the reported issue has been resolved.

Changes to the Program

Pullpo reserves the right to modify or terminate this bug bounty program at any time. Any changes will be reflected in an updated version of this document.

Thank you for helping us keep Pullpo secure!

Previous
GitHub permissions
PRODUCT
Features
Pricing
User Guide
COMPANY
LinkedIn
LEGAL
Terms
Privacy policy
PULLPO
© All rights reserved.