Services in scope
All 84codes owned web services that handle reasonably sensitive user data are in scope. This includes:
Not in scope:
- Our public static websites, Statuspage sub-domains and other sites run by a 3rd party.
This includes but are not limited to the following domains:
- www.84codes.com, www.cloudamqp.com, www.cloudkarafka.com, www.elephantsql.com, www.cloudmqtt.com
- docs.cloudamqp.com, docs.cloudkarafka.com, docs.elephantsql.com, docs.cloudmqtt.com
- status.cloudamqp.com, status.cloudkarafka.com, status.elephantsql.com, status.cloudmqtt.com
- email.cloudamqp.com, email.elephantsql.com
- Third party services leaking customer servers metadata and/or credentials (e.g. GitHub, Prometheus, Grafana)
- Vulnerabilities in RabbitMQ, Apache Kafka, PostgreSQL or Mosquitto, please report responsibly directly to the project in question
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
- Cross-site scripting
- Cross-site request forgery
- Mixed-content scripts
- Authentication or authorization flaws
- Server-side code execution bugs
Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, brute force authentication, or do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.
Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the issues that typically do not earn a monetary reward:
- Bugs requiring exceedingly unlikely user interaction
- Brute forcing
- User enumeration
- Non security related bugs (e.g. disclosure of server/software versions)
- CSRF to log in or log out (unless chained with another vulnerability to demonstrate impact)
Reward amounts for security vulnerabilities
Rewards for qualifying bugs range from Credits to $2,000. The following table outlines the usual rewards chosen for the most common classes of bugs.
1. The impact assessment is based on the attack’s potential for causing privacy violations, financial loss, and other user harm, as well as the user-base reached.
2. The probability assessment takes into account the technical skill set needed to conduct the attack, the potential motivators of such an attack, and the likelihood of the vulnerability being discovered by an attacker.
The final amount is always chosen at the discretion of the reward panel. In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide to pay lower rewards for vulnerabilities that require unusual user interaction; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward.
Investigating and reporting bugs
When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to other users.
In the case the same vulnerability is present on multiple products, please combine and send one report.
If you have found a vulnerability, please contact us at firstname.lastname@example.org, if needed use this PGP key. Note that we are only able to answer technical vulnerability reports.
Duplicate reports will not be rewarded, first report on the specific vulnerability will be rewarded.
The report should include steps in plain text how to reproduce the vulnerability (not only video or images).
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.
This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.
This Vulnerability Reward Program was last revised on June 28, 2022.