We are committed to keeping our application secure and award responsible disclosed vulnerabilities according to these rules.
All 84codes owned web services that handle reasonably sensitive user data are in scope. This includes:
Not in scope:
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the issues that typically do not earn a monetary reward:
Rewards for qualifying bugs range from Credits to $2,000. The following table outlines the usual rewards chosen for the most common classes of bugs.
When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to other users. In the case the same vulnerability is present on multiple products, please combine and send one report. If you have found a vulnerability, please contact us at firstname.lastname@example.org, if needed use this PGP key. Note that we are only able to answer technical vulnerability reports. Duplicate reports will not be rewarded, first report on the specific vulnerability will be rewarded. The report should include steps in plain text how to reproduce the vulnerability (not only video or images).
We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law. This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion. Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.
This Vulnerability Reward Program was last revised on June 23, 2021.