independent-programs.yml

# Independent CVD Programs - manually submitted, not managed on any platform
# See the "Submitting a Program" section in the README for field details
#
# Required fields: company, url
# Optional fields: contact, rewards, min_payout, max_payout, currency,
#   safe_harbor, allows_disclosure, domains, pgp_key, preferred_languages,
#   description, program_type, status, scope, out_of_scope, testing_policy_url,
#   excluded_methods, requires_account, payout_table, disclosure_timeline_days,
#   response_sla_days, legal_terms_url, hall_of_fame_url, swag_details,
#   reporting_url, standards

companies:

- company: atlan.com
  url: https://atlan.com/responsible-disclosure-program/
  contact: mailto:security@atlan.com
  rewards:
  - '*bounty'
  - '*recognition'
  - '*swag'
  program_type: vdp
  status: active
  description: This Vulnerability Disclosure Policy (VDP) establishes guidelines for security researchers to report vulnerabilities they discover in Atlan’s systems. We are committed to working with researchers who act in good faith to help us maintain the highest security standards.
  out_of_scope:
  - https://atlan.com (Marketing website)
  - Open Source Repositories
  - https://metadatabank.atlan.com
  - 'Third-party services not owned or controlled by Atlan, including:'
  - https://blog.atlan.com
  - https://university.atlan.com
  - https://humansofdata.atlan.com
  - https://docs.atlan.com
  domains:
  - '*.atlan.com (excluding explicitly out-of-scope domains listed below)'
  - Atlan’s main application and associated services that process customer data
  - API endpoints and authentication systems
  swag_details: Amazon gift cards, Atlan swag and merchandise Public recognition on our Hall of Fame

- company: atmail.com
  url: https://www.atmail.com/bug-bounty-terms/
  contact: mailto:security@atmail.com.
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  safe_harbor: full
  allows_disclosure: true
  description: Atmail is committed to protecting our customers and their users. As part of this commitment, we invite security researchers to help protect Atmail and its users by proactively identifying security vulnerabilities via our bug bounty program. Our program is inclusive of all Atmail brands and technologies and offers rewards for a wide array of vulnerabilities. We encourage security researchers looking to participate in our bug bounty program to review this policy to ensure compliance with our rules
  out_of_scope:
  - Any domain that is an alias (CNAME) for a third-party system, or is being proxied through a CDN such as Cloudflare directly to a third-party platform. e.g. billing.atmail.com, success.atmail.com, status.atmail.com.
  - All third party services associated with Atmail services.
  domains:
  - '*.atmail.com, including www.atmail.com within the scope listed below. Excluding billing.atmail.com'
  - '*.atmail.cloud'
  - All Atmail code shipped with it’s product, both source and binaries (in binary form) as supplied.
  - Only the latest versions of the currently shipped and supported products are in scope.
  - All Atmail Hosted services, both public and private cloud installations.
  - All Atmail supplied customer service portals, third-party components excluded.
  - www.atmail.com, limited to the contents being served from this website, and not third-party components that may present as accessible via this website.
  min_payout: 50
  max_payout: 5000
  currency: USD
  payout_table:
    critical: 5000
    high: 2000
    medium: 500
    low: 48
  disclosure_timeline_days: 90

- company: aurasell.ai
  url: https://www.aurasell.ai/bug-bounty
  contact: mailto:security@aurasell.ai
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: |-
    At Aurasell, security is a top priority. While we work hard to protect our platform and customers, we recognize that vulnerabilities can still occur. We encourage independent security researchers to help us improve the safety of our products and services.

    If you believe you have discovered a security vulnerability in Aurasell, we want to hear from you. Please review this page carefully before submitting a report.
  domains:
  - Aurasell web applications
  - Aurasell administrative consoles
  - Aurasell APIs
  - Other Aurasell-owned production services
  min_payout: 5
  max_payout: 1000
  currency: USD
  payout_table:
    critical: 1000
    high: 500
    medium: 200
    low: 5

- company: AxisPay
  url: https://axispay.tech/legal/disclosure
  contact: mailto:security@axispay.tech
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  safe_harbor: partial
  preferred_languages: English
  description: We do not currently offer a bug bounty program. However, we are grateful to researchers who submit valid reports and help us improve our security. We may offer non-monetary recognition at our discretion for significant findings.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  - automated_scanning
  scope:
  - target: axispay.tech/*
    type: This marketing site and all its subpages
  - target: dashboard.axispay.tech
    type: AxisPay Portal
  - target: axisvoice.com
    type: AxisVoice
  - target: axispass.app
    type: AxisPass
  out_of_scope:
  - Third-party services we do not operate
  - Social engineering, phishing, or physical attacks
  - Denial-of-Service (DoS) or resource-exhaustion attacks
  - Automated scanning that impacts service availability
  domains:
  - axispay.tech/*
  - dashboard.axispay.tech
  - axisvoice.com
  - axispass.app
  response_sla_days: 2
  hall_of_fame_url: https://axispay.tech/legal/disclosure#hall-of-fame

- company: Bambu Lab
  url: https://bambulab.com/en/bug-bounty-program
  contact: mailto:security@bambulab.com
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: |-
    Through our Bug Bounty Program, we collaborate with the security community to identify vulnerabilities early and strengthen the safety and reliability of our systems. Please refer to the detailed testing scope and reward rules below.
    Link - https://bambulab.com/en/bug-bounty-program#scopeAndBounty
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: '*.bambulab.com and makerworld.com'
    type: web
  - target: Bambu Handy, Bambu Studio, Bambu Suite and Bambu Connect
    type: PC & App
  - target: X-series, P-series, A-series, and H-series firmware
    type: Device
  out_of_scope:
  - srm.bambulab.com
  - prm.bambulab.com
  domains:
  - '*.bambulab.com'
  - makerworld.com
  response_sla_days: 10
  reporting_url: https://bambulab.com/en/bug-bounty-program/reports/create

- company: bentley.com
  url: https://www.bentley.com/legal/bug-bounty-report/
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: At Bentley Systems, we take the security of our systems and products seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
  out_of_scope:
  - Bentley Systems’ Infrastructure (VPN, Mail Server, SharePoint, Skype, etc.)
  - Findings from physical testing, such as office access (e.g., open doors, tailgating)
  - Findings derived primarily from social engineering (e.g., phishing, vishing)
  - Findings from applications or systems not listed in the ‘Scope’ section
  - Any services hosted by 3rd-party providers and services
  - Obsolete/deprecated software
  - Obsolete/deprecated software
  - https://seequent.frontify.com/
  - https://events.seequent.com/
  - https://community.seequent.com/
  - https://lms.seequentlearning.com/
  - https://partners.seequent.com/
  - eventhub.bentley.com
  - On24 related issues
  domains:
  - All _.bentley.com subdomains
  - All Bentley Systems desktop products (Only CONNECT Edition and Later)
  - All Bentley Systems mobile apps (distributed only on Play and App stores)
  - All Bentley Cloud Applications and Services
  - All Bentley Open-Source Projects (including imodeljs.org)
  min_payout: 100
  max_payout: 1000
  currency: USD
  disclosure_timeline_days: 90

- company: BSI Germany
  url: https://www.bsi.bund.de/EN/IT-Sicherheitsvorfall/IT-Schwachstellen/it-schwachstellen_node.html
  contact: mailto:vulnerability@bsi.bund.de
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  safe_harbor: partial
  allows_disclosure: true
  preferred_languages: German, English
  description: Federal Office for Information Security (BSI) coordinates vulnerability disclosure for German federal IT systems. No prosecution of researchers acting in good faith under the published policy.

- company: BT Group
  url: https://www.bt.com/about/contact-bt/responsible-disclosure
  contact: https://www.bt.com/about/contact-bt/responsible-disclosure
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  safe_harbor: partial
  allows_disclosure: false
  preferred_languages: English
  pgp_key: https://www.bt.com/.well-known/btcertcc_public.asc
  description: BT Group responsible disclosure program covering BT, EE, Plusnet, and Openreach products and services.
  excluded_methods:
  - dos
  scope:
  - target: BT Group products and services
    type: web
  - target: BT Group network infrastructure
    type: network
  out_of_scope:
  - Non-exploitable vulnerabilities
  - Missing security headers without demonstrated impact
  response_sla_days: 1
  disclosure_timeline_days: 90
  hall_of_fame_url: https://www.bt.com/about/contact-bt/responsible-disclosure/hall-of-fame

- company: C-SINT
  url: https://www.csint.pro/bug_bounty
  contact: mailto:bugbounty@csint.pro
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: Help secure the csint.pro intelligence platform and earn rewards for high‑quality.For best results, start with the official vulnerability report template linked below, then email it as an attachment - https://www.csint.pro/bugbounty/assets/security_vulnerability_report_template.pdf
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: '*.csint.pro'
    type: web
  - target: authentication, dashboard, OSINT search, subscriptions, user settings
    type: main web app
  - target: /login, /register, /dashboard, /api/*, /admin/*
    type: endpoints
  - target: application servers, load balancers, CDN config, databases, TLS and security headers
    type: Infrastructure we control
  out_of_scope:
  - Third‑party processors, analytics, email providers, CDN infrastructure not configured by csint.pro.
  - Hosting provider, ISP, registrar, certificate authority, or any systems not owned by csint.pro.
  - Physical testing, social engineering against users, or harassment of staff or customers.
  - DoS/DDoS, resource exhaustion, data destruction, or any service disruption.
  - Persistent backdoors, malware, credential harvesting, or pivoting to internal networks.
  domains:
  - '*.csint.pro'
  response_sla_days: 2

- company: CERN
  url: https://security.web.cern.ch/home/en/cvd.shtml
  contact: mailto:Computer.Security@cern.ch
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  allows_disclosure: true
  preferred_languages: English, French
  description: CERN Coordinated Vulnerability Disclosure program for reporting security vulnerabilities in CERN systems and services.
  excluded_methods:
  - automated_scanning
  scope:
  - target: CERN systems and services
    type: web
  hall_of_fame_url: https://security.web.cern.ch/home/en/kudos.shtml

- company: coderpad.io
  url: https://coderpad.io/vulnerability-disclosure-policy/
  contact: mailto:bugbounty@coderpad.io
  rewards:
  - '*bounty'
  - '*recognition'
  program_type: bounty
  status: active
  description: CoderPad intends to keep its service secure and protect its customers’ data. If you’ve found a security issue that you believe we should know about, you can submit it to our team. Eligible findings can receive a reward as stated below.
  domains:
  - Accepted targets are coderpad.io and all its existing subdomains, with the exception of trustcenter.coderpad.io, status.coderpad.io and metabase related subdomains.
  min_payout: 49
  max_payout: 500
  payout_table:
    critical: 500
    high: 250
    medium: 100
    low: 50

- company: codingame.com
  url: https://www.codingame.com/work/vulnerability-disclosure-policy/
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  allows_disclosure: true
  out_of_scope:
  - 'Our basic principle for this program : we consider as a valid vulnerability, only those that can reasonably lead to : data leak, credential leak, undue data modification or deletion, real and reproducible impact on performance / availability. A few low level issues of which impact can be questioned may also be out of scope purposely (due to risk VS benefit considerations).'
  domains:
  - Accepted targets are codingame.com, codingame.eu, codingame-app.com and all their existing subdomains, with the exception of metabase.codingame.com.
  min_payout: 50
  max_payout: 500
  currency: USD
  payout_table:
    critical: 500
    high: 250
    medium: 100
    low: 50

- company: CrowdProof
  url: https://crowdproof.id/security
  contact: mailto:security@crowdproof.id
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: DIDRegistry, ReputationOracle, CredentialVerifier, PaymentEscrow, GovernanceToken
    type: Smart contracts
  - target: crowdproof-api.azurewebsites.net
    type: Backend API
  - target: portal.crowdproof.id
    type: portal
  - target: crowdproof.id
    type: web
  - target: TypeScript, Python, Go, C#, Java, Swift
    type: SDKs
  - target: ReputationProof, AgeProof, KYCProof
    type: ZK circuits
  out_of_scope:
  - Social engineering or phishing attacks
  - Denial of service (DoS/DDoS) attacks
  - Vulnerabilities in third-party services (Stripe, Persona, Azure)
  - Issues requiring physical access to hardware
  - Known issues already listed in our GitHub issue tracker
  domains:
  - crowdproof-api.azurewebsites.net
  - portal.crowdproof.id
  - crowdproof.id
  min_payout: 100
  max_payout: 25000
  currency: USD
  hall_of_fame_url: https://crowdproof.id/security#acknowledgments

- company: DENSO WAVE
  url: https://www.denso-wave.com/en/psirt/
  contact: https://www.denso-wave.com/en/contact/psirt/
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  preferred_languages: English, Japanese
  description: DENSO WAVE vulnerability disclosure program for DENSO WAVE products, following ISO 29147 coordinated disclosure.
  response_sla_days: 5
  standards:
  - ISO 29147

- company: DNSLookup
  url: https://dnslookup.pro/security
  contact: mailto:security@dnslookup.pro
  rewards:
  - '*swag'
  program_type: vdp
  status: active
  description: |-
    DNSLookup does not currently offer a formal bug bounty program with monetary rewards, but deeply appreciates the contributions of security researchers.

    What is Offered:
    - Public Recognition: Listing in the Security Hall of Fame (with the researcher’s permission)
    - Swag: DNSLookup.pro merchandise for significant findings
    - Professional Reference: LinkedIn endorsement or reference letter
    - CVE Credit: Attribution if the vulnerability is assigned a CVE ID
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  out_of_scope:
  - Third-party services (Cloudflare, Google Analytics, etc.)
  - Social engineering attacks against our staff
  - Physical attacks on infrastructure
  - Denial of Service (DoS/DDoS) attacks
  domains:
  - '*.dnslookup.pro'
  hall_of_fame_url: https://dnslookup.pro/security

- company: docs.range.org
  url: https://docs.range.org/resources/bug-bounty
  contact: mailto:security@range.org
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  safe_harbor: full
  allows_disclosure: true
  description: Range runs a bug bounty program that rewards security researchers who help protect our platform and customers. Submit vulnerabilities in any Range product or infrastructure to security@range.org.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  - automated_scanning
  out_of_scope:
  - stage.range.org and other non-production environments
  - Social engineering, phishing, or physical attacks
  - Denial of service (DoS/DDoS) and volumetric testing
  - Issues in third-party services we do not control
  - Reports from automated scanners without a working proof of concept
  - Best-practice recommendations without a demonstrable vulnerability
  - Missing security headers (CSP, HSTS, X-Frame-Options) without a demonstrated exploit
  - SPF, DKIM, or DMARC configuration issues
  - Self-XSS, clickjacking on pages without sensitive actions, and CSRF on logout or non-state-changing endpoints
  - Rate limiting or brute-force concerns without a clear impact path
  - Username or email enumeration
  - Vulnerabilities in outdated browsers or already-patched dependencies without a working proof of concept
  - Issues already known to the team or previously reported
  domains:
  - range.org and all *.range.org subdomains
  - Range platform, APIs (Risk, Data, Faraday), and dashboards
  - Authentication and authorization flows
  - Remote code execution, SQL injection, SSRF, and server-side template injection
  - Broken access control, IDOR, and privilege escalation
  - Authentication bypass and account takeover
  - Sensitive data exposure and information disclosure
  - Stored or reflected XSS with demonstrable impact
  min_payout: 250
  max_payout: 10000
  currency: USD
  payout_table:
    critical: 10000
    high: 1000
    medium: 5000
    low: 250
  disclosure_timeline_days: 90

- company: Fluxer
  url: https://fluxer.app/security
  contact: mailto:security@fluxer.app
  rewards:
  - '*bounty'
  - '*recognition'
  program_type: bounty
  status: active
  preferred_languages: English
  description: Fluxer may award a Bug Hunter badge and Fluxer Plutonium gift codes for valid reports.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  - automated_scanning
  out_of_scope:
  - Third-party services and infrastructure we do not control, including partner communities' independent integrations, bots, and external hosting providers.
  - Physical security
  - Social engineering
  - Phishing
  - Bribery
  - Coercion
  - Attempts to manipulate Fluxer staff or users are also out of scope.
  - DoS attacks
  - Traffic flooding
  - Resource exhaustion testing
  - Noisy automated scanning
  - Bulk testing without a clear impact
  - General UI bugs
  - Feature requests and ordinary support issues are out of scope
  - Application-layer DoS vulnerabilities that can be demonstrated with a single unauthenticated request or a small number of requests may be reported, but do not actively exploit them at scale.
  - Issues in forked, modified, or outdated self-hosted deployments are out of scope unless they are reproducible on the latest official release. Low-impact or theoretical findings, such as missing best-practice headers, are usually not prioritised unless you can show a realistic attack path and concrete security impact.
  domains:
  - '*.fluxer.app'
  - '*.fluxer.gg'
  - '*.fluxer.gift'
  - '*.fluxerapp.com'
  - '*.fluxer.dev'
  - '*.fluxerusercontent.com'
  - '*.fluxerstatic.com'
  - '*.fluxer.media'

- company: forexfactory.com
  url: https://www.forexfactory.com/bug-bounty
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: |-
    If you're a security researcher or believe you've found a vulnerability in one of our products, the Bug Bounty Program at Forex Factory allows you to submit vulnerability reports directly to us and receive a reward.

    We believe responsible disclosure should be compensated fairly and encourage the security researcher community to hunt for, find, and report issues.
  domains:
  - '*.forexfactory.com'
  - '*.cryptocraft.com'
  - '*.energyexch.com'
  - '*.metalsmine.com'
  min_payout: 100
  max_payout: 10000
  currency: USD
  payout_table:
    critical: 10000
    high: 5000
    medium: 1000
    low: 100

- company: foundation.xyz
  url: https://foundation.xyz/responsible-disclosure/
  contact: mailto:security@foundation.xyz
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  allows_disclosure: true
  description: Foundation Devices, Inc. (“Foundation”) creates hardware, firmware, software, websites, and web-based services for customers, users, and employees. Foundation expends significant time and effort to ensure that these are all safe and secure. If you believe that you have found an issue or vulnerability, however, the bug bounty program below describes the actions you should take to report the issue, and under what conditions Foundation will pay out bug bounty rewards.
  out_of_scope:
  - 'Any service hosted at a domain outside of this list will not be considered relevant to this bug bounty program, with the following exception:'
  - Access to systems hosted by a 3rd party infrastructure provider, which has been deemed relevant to the hosting and securing of services at the domains listed above. The vulnerability must be addressable by our engineers. Foundation reserves the right to make this determination at its sole discretion.
  domains:
  - foundation.xyz
  - Primary e-commerce domain above, checkout functionality, WooCommerce admin areas
  currency: USD
  payout_table:
    critical: 500
    high: 200
    medium: 100
    low: 50

- company: FreeFires
  url: https://freefires.site
  rewards:
  - '*bounty'
  - '*recognition'
  - '*swag'
  program_type: bounty

- company: geckoboard.com
  url: https://support.geckoboard.com/en/articles/6055718-report-a-security-vulnerability-and-responsible-disclosure-policies
  rewards:
  - '*bounty'
  program_type: vdp
  status: active
  description: We welcome reports from security researchers and experts about possible security vulnerabilities with our service. We're particularly interested in hearing about vulnerabilities that impact the confidentiality or integrity of user information or systems, and have the potential to impact a large number of people.
  out_of_scope:
  - www.geckoboard.com, community.geckoboard.com, support.geckoboard.com, etc. are out of scope.
  domains:
  - app.geckoboard.com
  max_payout: 500
  currency: USD

- company: Go Deed Inc
  url: https://www.joindeed.com/security
  contact: mailto:security@joindeed.com
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  description: Deed do not offer monetary payouts through their bug bounty program, as they believe security researchers and pentesters should be fairly compensated rather than contributing unpaid labor for unspecified rewards. However, as a token of appreciation for responsibly disclosed vulnerabilities, offer Deed swag and recognition in their Security Hall of Fame.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  hall_of_fame_url: https://www.joindeed.com/security

- company: Hitachi
  url: https://www.hitachi.com/hirt/
  contact: https://www8.hitachi.co.jp/inquiry/hitachi-ltd/it/hirt/en/form.jsp
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  preferred_languages: English, Japanese
  description: Hitachi Incident Response Team handles security vulnerabilities in Hitachi group IT and industrial control system products.
  scope:
  - target: Hitachi group IT products
    type: other
  - target: Industrial Control Systems
    type: hardware
  out_of_scope:
  - End-of-life products
  - Other manufacturers' products
  standards:
  - ISO 29147
  - ISO 30111
  hall_of_fame_url: https://www.hitachi.com/hirt/security/acknowledgments.html

- company: Iceline Hosting
  url: https://iceline-hosting.com/bug-bounty
  contact: mailto:reply@support.iceline-hosting.com
  rewards:
  - '*recognition'
  - '*swag'
  program_type: vdp
  status: active
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: iceline-hosting.com
    type: Iceline main website
  - target: shield.iceline-hosting.com
    type: Iceline Shield
  - target: game.iceline-hosting.com
    type: Iceline Game Panel
  - target: billing.iceline-hosting.com
    type: Iceline billing
  - target: vps.iceline-hosting.com
    type: Iceline VPS panel
  - target: status.iceline-hosting.com
    type: Status page
  - target: auth.iceline-hosting.com
    type: Auth
  out_of_scope:
  - Third-party services we don’t control (e.g. CDN, infrastructure providers)
  - Social engineering, phishing, DoS/DDoS
  - Known dependency issues without a working exploit
  - Low-impact issues with no demonstrable impact
  domains:
  - iceline-hosting.com
  - shield.iceline-hosting.com
  - game.iceline-hosting.com
  - billing.iceline-hosting.com
  - vps.iceline-hosting.com
  - status.iceline-hosting.com
  - auth.iceline-hosting.com
  reporting_url: https://support.retraflow.io/iceline-hosting

- company: Insight Health
  url: https://www.insighthealth.ai/security
  contact: mailto:security@insighthealth.ai
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  preferred_languages: English
  description: If you believe you've found a security vulnerability in an Insight Health product or service, we want to hear from you. Please email your report to [security@insighthealth.ai](mailto:security@insighthealth.ai)
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: nsighthealth.ai
    type: Web application
  - target: auth.insighthealth.ai
    type: Authentication service
  - target: app.insighthealth.ai
    type: Application platform
  - target: api.insighthealth.ai
    type: API
  out_of_scope:
  - Reports from automated scanners without manual verification or demonstrated impact.
  - Email auto-linking behavior (e.g., email clients rendering user-provided text as clickable hyperlinks).
  - Social engineering, phishing, or physical attacks against Insight Health employees or users.
  - Denial-of-service (DoS/DDoS) attacks or volumetric testing.
  - Content injection without demonstrated security impact (e.g., entering text into input fields that is later displayed).
  - Missing security headers that do not lead to a demonstrated exploit.
  - Self-XSS (where the victim must paste code into their own browser console).
  - Rate limiting or brute-force issues on non-authentication endpoints.
  - Vulnerabilities in third-party services, libraries, or upstream providers unless they directly compromise Insight Health systems.
  - Reports that require unlikely or impractical user interaction.
  - SPF/DKIM/DMARC configuration suggestions without demonstrated spoofing impact.
  domains:
  - nsighthealth.ai
  - auth.insighthealth.ai
  - app.insighthealth.ai
  - api.insighthealth.ai
  response_sla_days: 3

- company: Instant Gaming
  url: https://www.instant-gaming.com/en/docs/bugbounty/
  contact: https://www.instant-gaming.com/en/support/
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  safe_harbor: full
  preferred_languages: English
  description: Instant Gaming invites security researchers to responsibly disclose vulnerabilities affecting its website, public APIs, and mobile applications. Bounties are awarded based on severity using CVSS and internal risk assessment.
  excluded_methods:
  - dos
  - ddos
  - spam
  - brute_force
  - automated_abuse
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: instant-gaming.com and publicly discoverable subdomains
    type: web
  - target: Public APIs
    type: api
  - target: Instant Gaming and Instant Gaming News mobile applications
    type: mobile
  domains:
  - instant-gaming.com
  - '*.instant-gaming.com'
  - Public APIs
  - Instant Gaming iOS application
  - Instant Gaming Android application
  - Instant Gaming News iOS application
  - Instant Gaming News Android application
  reporting_url: https://www.instant-gaming.com/en/support/
  response_sla_days: 3

- company: keragon.com
  url: https://www.keragon.com/security/vulnerability-disclosure-program
  rewards:
  - '*bounty'
  - '*recognition'
  - '*swag'
  program_type: bounty
  status: paused
  safe_harbor: full
  allows_disclosure: true
  description: Keragon's bug bounty program uses a tiered model combining monetary rewards with recognition-based incentives.
  out_of_scope:
  - Third-party services integrated with Keragon (e.g., payment processors, email providers)
  - Social engineering attacks (phishing, vishing, physical)
  - Denial-of-service (DoS/DDoS) attacks
  - Automated scanning that generates excessive traffic
  - Any testing against customer data or production PHI environments
  - Findings from automated tools without demonstrated impact
  domains:
  - keragon.com and all subdomains
  - Keragon's public-facing web application
  - Keragon's public API endpoints
  - Keragon's authentication and authorization systems
  min_payout: 25
  max_payout: 2000
  currency: USD
  payout_table:
    critical: 2000
    high: 500
    medium: 200
    low: 48
  requires_account: false

- company: kindo.ai
  url: https://www.kindo.ai/vulnerability-disclosure-program
  contact: mailto:bugs@kindo.ai
  rewards:
  - '*bounty'
  - '*recognition'
  - '*swag'
  program_type: vdp
  status: active
  safe_harbor: full
  description: Kindo welcomes responsible security research and appreciates reports that help keep our systems and customers safe. If you believe you’ve found a security issue, please report it privately and we’ll work with you to investigate and remediate.
  out_of_scope:
  - 'The following are explicitly excluded from this VDP:'
  - Internal systems not accessible from the internet.
  - Systems of third-party vendors or partners.
  - Physical security vulnerabilities (e.g., building access).
  - Denial of Service (DoS) vulnerabilities. While we appreciate reports of potential DoS vulnerabilities, we ask that researchers refrain from testing them against our systems.
  - Social engineering attacks (e.g., phishing).
  - Vulnerabilities in third-party libraries or frameworks unless they are uniquely exploitable in our implementation.
  domains:
  - 'This VDP applies to all internet-facing systems and applications owned or operated by Kindo.ai, including:'
  - Kindo web properties
  - 'Including kindo.ai, app.kindo.ai, and all related subdomains: This includes the main corporate website, customer portal, and any related web applications.'
  - Deep Hat web properties
  - Including deephat.ai, app.deephat.ai, and all related subdomains.
  - API interfaces
  - This includes all publicly accessible APIs.
  - Acquired companies and related companies
  - Unless otherwise stated, this VDP also applies to systems and applications of companies acquired or owned by Kindo.ai.
  min_payout: 50
  max_payout: 1000
  currency: USD
  payout_table:
    critical: 1000
    high: 500
    medium: 150

- company: Lark
  url: https://www.larksuite.com/en_us/bugbounty
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access

- company: Mamentis
  url: https://mamentis.com/docs/resources/miscellaneous/submit-bug-request#security-issues
  contact: mailto:security@mamentis.com
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  preferred_languages: English
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  response_sla_days: 1

- company: mintlify.com
  url: https://www.mintlify.com/security/responsible-disclosure
  contact: mailto:security@mintlify.com
  rewards:
  - '*bounty'
  - '*recognition'
  program_type: hybrid
  status: active
  description: At Mintlify, we care deeply about the safety and security of our customer's data. We greatly value inputs from our community that can help us detect vulnerabilities in our product and services.
  out_of_scope:
  - Automated scanning
  - Social engineering, particularly involving Mintlify employees
  - Missing or insufficient rate limiting
  - Missing headers in responses, except in cases where material harm or exploitation is evident
  - Brute force attacks
  - DDOS attacks
  - Clickjacking on pages with no sensitive actions
  - Theoretical attacks without proof of exploitability
  - Attacks requiring physical access to a victim's device
  - Attacks requiring interceptin of a valid user's network traffic
  - Denial of service attacks
  domains:
  - https://mintlify.com/docs
  - https://dashboard.mintlify.com
  - https://leaves.mintlify.com
  - Mintlify GitHub apps
  - Vulnerabilities which apply to Mintlify's hosted documentation and customers' documentation. Do not attempt to reproduce or exploit these vulnerabilities on customer documentation without express permission and communication from the customer and Mintlify teams.
  requires_account: true

- company: Mitsubishi Electric
  url: https://www.mitsubishielectric.com/en/psirt/disclosurepolicy/index.html
  contact: https://www.mitsubishielectric.com/psirt/contact/index.html
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  preferred_languages: English, Japanese
  description: Mitsubishi Electric PSIRT handles security vulnerabilities in Mitsubishi Electric products, coordinating disclosure with JPCERT/CC.
  response_sla_days: 5
  out_of_scope:
  - End-of-life products
  standards:
  - ISO 29147

- company: nelko.com
  url: https://nelko.com/pages/vulnerability-disclosure-policy
  rewards:
  - '*recognition'
  - '*swag'
  program_type: vdp
  status: active
  safe_harbor: full
  allows_disclosure: false
  description: At Nelko, the security of our customers and the integrity of our hardware and digital ecosystem are our top priorities. We are committed to ensuring that personal information is protected carefully and handled with discretion. We appreciate the efforts of security researchers who help us identify and fix potential vulnerabilities.
  out_of_scope:
  - 'Third-Party Services: Services hosted by third parties (e.g., Shopify, PayPal, Mailchimp).'
  - 'Physical Security: Attacks against Nelko’s physical offices, warehouses, or personnel.'
  - 'Social Engineering: Phishing or deceptions targeting Nelko employees or customers.'
  domains:
  - 'Official Domain: .nelko.net'
  - 'Software: Official Nelko-branded mobile applications and printing software.'
  - 'Hardware: Firmware and communication protocols of Nelko-branded printers.'
  response_sla_days: 3
  swag_details: At our sole discretion, Nelko may provide product rewards (such as printers or consumable gift sets) to researchers who report significant, verified vulnerabilities as a token of our appreciation.

- company: nuuvem.com
  url: https://www.nuuvem.com/us-en/security
  contact: mailto:security@nuuvem.com
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: |-
    We know that, despite our continuous efforts to ensure the integrity of our systems, no security is infallible. That's why we are launching our Bug Bounty Program - an initiative aimed at further strengthening our digital security through collaboration with the security research and programming community.

    We are excited to invite researchers and programmers to participate in our Bug Bounty Program, designed to identify and fix vulnerabilities that may affect the security and privacy of our user
  domains:
  - nuuvem.com
  - nuuvem.com.br
  - nuuvem.co
  - nuuvem.host
  - nuuvem.dev
  - nuuvem.net
  - nuuvem.games
  - nuuvem.io
  - n-arcade.io
  max_payout: 5000
  currency: USD
  payout_table:
    high: 1499
    medium: 599
    low: 299

- company: obol.org
  url: https://docs.obol.org/advanced-and-troubleshooting/security/bug-bounty
  contact: mailto:security@obol.tech
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: At Obol Labs, we prioritize the security of our distributed validator software and related services. Our Bug Bounty Program is designed to encourage and reward security researchers for identifying and reporting potential vulnerabilities. This initiative supports our commitment to the security and integrity of our products.
  out_of_scope:
  - Social engineering
  - Rate Limiting (Non-critical issues)
  - Physical security breaches
  - Non-security related UX/UI issues
  - Third-party application vulnerabilities
  - The Obol static website or the Obol infrastructure
  - The operational security of node operators running or using Obol software
  domains:
  - Charon the DV Middleware Client
  - Obol DV Launchpad and Public API
  - Obol Splits Contracts
  - Obol Labs hosted Public Relay Infrastructure
  min_payout: 500
  max_payout: 100000
  currency: USD
  payout_table:
    critical: 100000
    high: 10000
    medium: 2500
    low: 499

- company: Orange Cyberdefense
  url: https://www.orangecyberdefense.com/de/vulnerability-disclosure-policy
  contact: mailto:vulnerability@orangecyberdefense.com
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  safe_harbor: full
  allows_disclosure: false
  preferred_languages: English
  description: Orange Cyberdefense vulnerability disclosure program covering digital infrastructures, platforms, applications, and products.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  response_sla_days: 5
  pgp_key: https://advisories.orangecyberdefense.com

- company: panteracapital.com
  url: https://panteracapital.com/pantera-bug-bounty/
  contact: mailto:security@panteracapital.com
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: Welcome to Pantera’s Bug Bounty Program. We appreciate your dedication to helping us improve our security and protect our users.
  out_of_scope:
  - Vulnerabilities in third-party services or applications
  - Social engineering attacks
  - Physical security vulnerabilities
  - Issues related to outdated browsers or unsupported software
  domains:
  - Web applications
  - Network infrastructure
  max_payout: 5000
  currency: USD
  payout_table:
    high: 1000

- company: Pathé
  url: https://www.pathe.com/wp-content/uploads/2023/12/Pathe-Politique-CVD.1.2.EN_.pdf
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  description: |-
    Pathé do care about the security of their systems, websites and applications as well as the protection of the data of their
    customers, employees and partners. As a thank you for your help, we offer a reward for every report of an unknown vulnerability.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: https://pathe.com/
    type: Pathé Corporate
  - target: https://cannes.patheinternational.com/
    type: Corner Digital Cannes
  - target: https://tiff.patheinternational.com/
    type: Corner Digital TIFF
  - target: https://afm.patheinternational.com/
    type: Corner Digital AFM
  - target: https://parisrdv.patheinternational.com/
    type: Corner Digital RDV PARIS
  - target: https://efm.patheinternational.com/
    type: Corner Digital EFM
  out_of_scope:
  - https://www.pathefilms.com/
  - https://www.patheinternational.com/
  - https://www.fondation-jeromeseydoux-pathe.com/
  domains:
  - pathe.com
  - cannes.patheinternational.com
  - tiff.patheinternational.com
  - afm.patheinternational.com
  - parisrdv.patheinternational.com
  - efm.patheinternational.com
  response_sla_days: 5
  reporting_url: https://app.zerocopter.com/en/cvd/76f239d7-adfb-4fff-803c-5fcd9d813952

- company: Pine AI
  url: https://www.19pine.ai/security
  contact: mailto:security@19pine.ai
  rewards:
  - '*recognition'
  - '*swag'
  program_type: vdp
  status: active
  description: |-
    Pine does not currently operate a formal bug bounty program and cannot guarantee monetary rewards. For valid, impactful findings disclosed responsibly, we may offer the following at our discretion.
    - Public acknowledgment on this page
    - A LinkedIn recommendation from our team
    - Pine swag
    - At our discretion, a one-time goodwill payment
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: '*.19pine.ai'
    type: Pine web application
  out_of_scope:
  - Social engineering, phishing, or physical attacks
  - Denial-of-service attacks
  - Vulnerabilities in third-party services we integrate with
  - Self-XSS or attacks requiring user-side manipulation without remote exploitation
  - Findings from automated scanners without demonstrated impact
  - Missing security headers without exploitable consequence
  - Content spoofing without credible risk
  - AI prompt injection from user-uploaded content, which is treated as user-level input by design
  domains:
  - '*.19pine.ai'
  response_sla_days: 3
  hall_of_fame_url: https://www.19pine.ai/security#acknowledgments

- company: pokee.ai
  url: https://pokee.ai/bug-bounty
  contact: mailto:support@pokee.ai
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: At Pokee AI, security is a top priority. We value the work of security researchers who help us keep our platform and users safe. If you discover a security vulnerability, we want to hear from you.
  out_of_scope:
  - Third-party services and integrations not operated by Pokee
  - Social engineering, phishing, or physical attacks against Pokee employees
  - Denial-of-service (DoS/DDoS) attacks
  - Spam or rate-limiting issues without a security impact
  - Vulnerabilities in outdated browsers or platforms we do not support
  - Reports from automated scanners without a demonstrated proof of concept
  - Clickjacking on pages with no sensitive actions
  - Missing security headers that do not lead to a demonstrable exploit
  domains:
  - pokee.ai — main website and web application
  - api.pokee.ai — public-facing API endpoints
  - Authentication and authorization mechanisms
  - Payment and billing flows
  - User data handling and storage
  - PokeeClaw environment isolation
  currency: USD
  payout_table:
    critical: 500
    medium: 200
    low: 100

- company: Prop Firm Match
  url: https://propfirmmatch.com/bug-bounty
  rewards:
  - '*bounty'
  - '*recognition'
  - '*swag'
  program_type: bounty
  status: active
  preferred_languages: English
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  out_of_scope:
  - Requires physical access.
  - Involves outdated/unpatched browsers.
  - Cosmetic UI issues (e.g., misalignments).
  - Clickjacking on non-sensitive/static pages.
  - Missing headers without exploitability.
  - Vulnerabilities in third-party software.
  - Rate limit/caching glitches (like view/like counts).
  - CSRF without proven exploit.
  - Broken links/redirects without security impact.
  - Unvalidated automated tool reports.
  response_sla_days: 2

- company: proxidize.com
  url: https://proxidize.com/legal/vulnerability-disclosure-policy/
  contact: mailto:security@proxidize.com
  rewards:
  - '*bounty'
  - '*recognition'
  program_type: bounty
  status: active
  description: |-
    At Proxidize Ltd, ensuring the safety and security of our customers, employees, and products is paramount.
    We appreciate the security community’s efforts in responsibly identifying and reporting vulnerabilities. This
    policy outlines the procedures and guidelines for submitting vulnerabilities to us.
    By submitting a vulnerability report, you acknowledge that you’ve read, understood, and agree to adhere to
    this policy.
  out_of_scope:
  - Any services or domains not explicitly listed above.
  domains:
  - proxidize.com and all its subdomains.
  - proxi.es and all its subdomains.
  - Proxidize SDK.
  min_payout: 100
  max_payout: 1500
  currency: USD
  payout_table:
    critical: 1500
    high: 1000
    medium: 500
    low: 100

- company: Recap Innovations
  url: https://recap-innovations.com/security/
  contact: mailto:security@recap-innovations.com
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  description: |-
    Recap Innovations believe in recognizing security researchers who help us improve our security posture. With your permission, we will:
    - Acknowledge your contribution in security acknowledgments page (if you wish to be named)
    - Provide a reference letter for verified, high-quality reports upon request'
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: '*.recap-innovations.com'
    type: web
  out_of_scope:
  - Social engineering attacks (phishing, etc.)
  - Denial of Service (DoS/DDoS) attacks
  - Physical security testing
  - Attacks requiring physical access to user devices
  - Third-party services we integrate with
  - Vulnerabilities in outdated browsers or operating systems
  - Reports from automated tools without validation
  - Issues already reported or publicly known
  domains:
  - '*.recap-innovations.com'
  response_sla_days: 2
  hall_of_fame_url: https://recap-innovations.com/security/

- company: Redvilla
  url: https://redvilla.tech/bug-bounty/
  contact: mailto:info@redvilla.tech
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  description: |-
    We give points based on the severity of the report. Make sure your email is in the right format, Subject: Bug Bounty – [Your Name] Content: Introduction – Report

    Note: We get reports in a very high volume. You can expect the response after manual review, and verification your report.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: '*.redvilla.tech'
    type: web
  domains:
  - '*.redvilla.tech'
  hall_of_fame_url: https://redvilla.tech/bug-bounty/

- company: requestfinance.com
  url: https://help.request.finance/en/articles/8623679-bug-bounty-program-at-request
  contact: mailto:security@request.finance
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  domains:
  - https://app.request.finance
  - https://requestfinance.com
  - Request Finance mobile app
  min_payout: 500
  max_payout: 20000
  currency: USD
  payout_table:
    critical: 20000
    high: 15000
    medium: 10000
    low: 2000

- company: Schuberg Philis
  url: https://schubergphilis.com/security
  contact: mailto:abuse@schubergphilis.com
  rewards:
  - '*bounty'
  - '*recognition'
  - '*swag'
  program_type: bounty
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  hall_of_fame_url: https://schubergphilis.com/security-hall-of-fame

- company: screenly.io
  url: https://www.screenly.io/bug-bounty/
  contact: mailto:security-advisory@screenly.io
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  safe_harbor: full
  allows_disclosure: true
  out_of_scope:
  - Stage and test environments that may reside on the same domains
  - Third-party services not owned or controlled by Screenly (e.g., payment providers, CDNs)
  - Denial-of-service or capacity stress testing
  - Social engineering, phishing, or physical attacks against employees, customers, or partners
  - Known public CVEs without a practical exploit path
  - Low-impact issues listed under “Non-Qualifying Issues”
  domains:
  - screenly.io (marketing site)
  - screenlyapp.com (web application)
  - Our digital signage players (Screenly Player / Player Max only)
  requires_account: false

- company: scribblemaps.com
  url: https://help.scribblemaps.com/hc/en-us/articles/360049250211-Vulnerabilities-And-Bounties
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  out_of_scope:
  - Anonymous community maps. Maps with no owner that are editable by anyone are a long-standing community feature. Saving over an anonymous map is not a vulnerability.
  - Unlisted (URL-as-credential) maps. Maps without LockView are intentionally accessible to anyone who knows the URL, similar to an unlisted YouTube video. Accessing or saving such a map by knowing its map code is by design.
  - Third-party software we host but do not maintain. Issues in GeoServer, Tomcat, or other third-party stacks deployed alongside our services. Please report these to the respective upstream maintainers.
  - Missing security headers without a concrete attack scenario. Reports about CSP, X-Frame-Options, HSTS, etc. without a working exploit are not eligible.
  - Rate limiting in isolation. Lack of rate limiting on endpoints where rate limiting is not security-critical, without a demonstrated abuse scenario.
  min_payout: 25
  max_payout: 2000
  currency: USD

- company: simbase.com
  url: https://simbase.com/terms/responsible-disclosure-policy
  contact: mailto:security@simbase.com
  rewards:
  - '*bounty'
  - '*recognition'
  - '*swag'
  program_type: bounty
  status: active
  safe_harbor: full
  allows_disclosure: true
  description: At Simbase, we are committed to maintaining the security of our systems and our customers' data. We provide global IoT connectivity services and understand the critical importance of safeguarding our in-house developed platform, which our customers rely on to manage their devices. We operate a responsible disclosure program and an active bug bounty program to reward security researchers who help us identify and fix vulnerabilities.
  out_of_scope:
  - Findings from automated tools or scans without manual validation
  - Third-party applications, services, or devices that interact with our platform
  - Denial of Service (DoS, DDoS) vulnerabilities
  - Mobile applications (unless explicitly included in a specific bounty program)
  - Attacks targeting Simbase customers or end users (not our systems)
  - Rate limiting bypass without demonstrable impact
  - Missing HTTP security headers without exploitable impact
  - SPF, DKIM, or DMARC configuration issues
  - Content injection vulnerabilities without confirmed exploitability
  - Issues requiring physical access to infrastructure
  - Social engineering or phishing attacks against Simbase employees
  domains:
  - simbase.com and all subdomains (excluding third-party hosted services)
  - REST API endpoints and authentication mechanisms
  - Dashboard and account management systems
  - Authentication systems (SSO, OAuth, API keys, token validation)
  - IoT infrastructure (device communication protocols, network security, data transmission)
  max_payout: 200
  currency: USD
  response_sla_days: 4
  disclosure_timeline_days: 90
  swag_details: $200 USD (or equivalent) in platform credit on Simbase,  10 free SIM cards
  requires_account: false

- company: SnapDeploy
  url: https://snapdeploy.dev/blog/bug-bounty-rewards-report-issues
  contact: mailto:contact@snapdeploy.dev
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: |-
    The reward can include Always-On credits or one month free on an existing container. Reward level depends on the quality of the report and the severity of the issue.

    The SnapDeploy program rewards many other bug categories, including functionality issues, UI problems, integration failures, and performance defects can all qualify if the report clearly demonstrates a reproducible problem.

    Bug reports can be submitted directly through the SnapDeploy dashboard. Navigate to Dashboard → Report Bug.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: '*.snapdeploy.dev'
    type: web
  out_of_scope:
  - Bugs in your own application code
  - Problems caused by user misconfiguration
  - Feature requests or product suggestions (submit these through the [feedback program](https://snapdeploy.dev/blog/earn-free-hours-feedback-rewards) instead)
  - Already reported bugs
  - Issues originating in third-party services
  - Social engineering attempts
  domains:
  - '*.snapdeploy.dev'
  response_sla_days: 7

- company: SomnoAI Digital Sleep Lab
  url: https://sleepsomno.com/en/security/bug-bounty
  contact: mailto:sleepsomno.com
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access

- company: Starnum.com.tw
  url: https://www.instagram.com/mychenan/
  contact: https://www.instagram.com/mychenan/
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  description: starnum.com.tw values the security of user data and the website. We welcome security researchers to report potential vulnerabilities through responsible disclosure, and we commit to responding openly, respectfully, and promptly.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: '*.starnum.com.tw'
    type: web
  out_of_scope:
  - Third-party services (Cloudflare infrastructure itself
  - Google Analytics, Supabase platform itself)
  - Social engineering attacks
  - Physical security
  domains:
  - '*.starnum.com.tw'
  reporting_url: 'https://Instagram DM: https://www.instagram.com/mychenan/'

- company: superside.com
  url: https://www.superside.com/bug-bounty-program-policy
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: Superside is dedicated to safeguarding the security of our users and customers. In line with this dedication, we extend an invitation to security researchers to assist us in protecting Superside and our users by proactively identifying security vulnerabilities through our bug bounty program. Our program offers an extensive array of rewards tailored to different types of vulnerabilities, ensuring that your efforts are not only recognized but also duly compensated. We encourage security researcher
  excluded_methods:
  - dos
  - social_engineering
  - physical_access
  out_of_scope:
  - Denial of Service attacks
  - Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
  - Attacks requiring physical access to a user's device
  - Mail configuration issues including SPF, DKIM, DMARC settings
  - IDORs using UUIDs without a direct way to enumerate those UUIDs
  - EXIF metadata stripping related reports
  - Third-party applications and third-party APIs
  domains:
  - https://app.supersidestaging.com/
  - https://internal.supersidestaging.com/
  - https://admin.supersidestaging.com/
  - https://api.supersidestaging.com/
  - https://api-internal.supersidestaging.com/
  min_payout: 0
  max_payout: 2000
  payout_table:
    critical: 2000
    high: 1000
    medium: 400
    low: 0

- company: Texas Instruments
  url: https://www.ti.com/technologies/security/report-product-security-vulnerabilities.html
  contact: mailto:psirt@ti.com
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  description: Texas Instruments PSIRT handles security vulnerabilities in TI semiconductor products including hardware, software, and documentation.
  scope:
  - target: TI semiconductor products
    type: hardware
  - target: TI product software and documentation
    type: other

- company: TMG Security
  url: https://tmgsec.com/bug-bounty/
  contact: mailto:security@tmgsec.com
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  preferred_languages: English
  description: We are not part of a cash/bug bounty program but are happy to issue a certificate of recognition to individuals who report security issues responsibly and help us make TMG Security systems more secure.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: tmgsec.com
    type: web
  - target: courses.tmgsec.com
    type: web
  out_of_scope:
  - Any subdomain or asset owned by TMG Security other than the two mentioned above is out of scope and is not eligible for any reward.
  - Check Detailed Out of Scope Vulnerabilities - https://tmgsec.com/bug-bounty/
  domains:
  - https://tmgsec.com
  - https://courses.tmgsec.com
  hall_of_fame_url: https://tmgsec.com/wall-of-fame/

- company: Toolglade
  url: https://toolglade.com/security-policy
  contact: mailto:security@toolglade.com
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  response_sla_days: 7

- company: Tribepad
  url: https://tribepad.b-cdn.net/app/uploads/2025/09/Vulnerability-Disclosure-Program.pdf
  contact: mailto:security@tribepad.com
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: https://testing.tribepad.uk
    type: Testing Team Careers Hub(web)
  - target: https://tribepad.com
    type: Main site(web)
  - target: https://manage.tribepad.com
    type: Trbepad Manage(web)
  - target: https://insights.tribepad.com
    type: Insights login(web)
  out_of_scope:
  - Report discovered vulnerabilities to Tribepad clients
  - Attempt to access any accounts or private data that does not belong to you
  - Attempt to modify or destroy any data of accounts that do not belong to you
  - 'Excluded platform features include:'
  - ● Groups
  - ● Communities
  - ● Clusters
  - ● Connections
  - ● Messages
  domains:
  - https://testing.tribepad.uk
  - https://tribepad.com
  - https://manage.tribepad.com
  - https://insights.tribepad.com
  response_sla_days: 2

- company: Tuturuuu
  url: https://tuturuuu.com/security
  contact: mailto:security@tuturuuu.com
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  preferred_languages: English
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  out_of_scope:
  - Social engineering, phishing, harassment, or attempts to target Tuturuuu staff or users.
  - Denial-of-service, load testing, spam, automated scanning at scale, or resource exhaustion.
  - Physical attacks, employee device compromise, or issues requiring stolen credentials.
  - Provider-native behavior without a demonstrated Tuturuuu product impact.
  response_sla_days: 1
  testing_policy_url: https://tuturuuu.com/security/policy
  hall_of_fame_url: https://tuturuuu.com/security/bug-bounty

- company: voibly.app
  url: https://voibly.app/security
  contact: mailto:support@voibly.app
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  allows_disclosure: true
  description: voibly is built for people whose work depends on confidentiality — lawyers, doctors, founders, engineers. Security isn't a marketing layer for us; it's the architecture.
  max_payout: 5000
  response_sla_days: 2
  disclosure_timeline_days: 30
  requires_account: false

- company: Volvo
  url: https://www.volvocars.com/intl/l/legal/vulnerability-reporting/
  contact: mailto:responsible-disclosure@volvocars.com

- company: whatruns.com
  url: https://www.whatruns.com/bug-bounty
  contact: mailto:hello@WhatRuns.com
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  description: |-
    We love software security researchers. They engage with internet companies to find and fix vulnerabilities that otherwise would have gone unnoticed.

    WhatRuns is proud to introduce a bug bounty program to reward researchers for their efforts in finding out vulnerabilities in our product.

    WhatRuns is not affiliated with or endorse the technology companies we list on our website or extension.
  min_payout: 100
  max_payout: 5000
  currency: USD

- company: Wikimint
  url: https://www.wikimint.com/legal#security-hall-of-fame
  contact: mailto:support@wikimint.com
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  description: Wikimint appreciates security researchers and ethical hackers who responsibly disclose vulnerabilities. Valid security reports may be acknowledged here with the researcher’s permission.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  out_of_scope:
  - Third-party services
  domains:
  - '*.wikimint.com'
  reporting_url: https://www.wikimint.com/legal#security-hall-of-fame

- company: WorkoutGen
  url: https://workoutgen.app/security/
  contact: mailto:security@workoutgen.app
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  description: If you found a vulnerability, please tell us. We cannot pay bug bounties - there is no VC behind this, just the two of us trying to keep the lights on. But we take every report seriously and will do everything we can to fix it fast.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: '*.workoutgen.app'
    type: web
  domains:
  - workoutgen.app
  - my.workoutgen.app
  - '*.workoutgen.app'
  hall_of_fame_url: https://workoutgen.app/security#hof-title

- company: Yellow.ai
  url: https://yellow.ai/vulnerability-disclosure-program/
  contact: mailto:infosec@yellow.ai
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  description: Yellow.ai (earlier called Yellow Messenger) is an Indian-origin enterprise AI company that builds conversational AI / chatbot automation platforms for businesses. This Vulnerability Disclosure Program (VDP) policy outlines our guidelines for security researchers who discover and report potential vulnerabilities in our systems. We appreciate the efforts of security researchers in helping us maintain a secure environment.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  scope:
  - target: cloud.yellow.ai
    type: web
  out_of_scope:
  - All other subdomains and services not explicitly mentioned as in-scope. While other subdomains are generally out of scope, we encourage researchers to report critical findings in these areas. Such reports will be reviewed on a case-by-case basis.
  - Denial of Service (DoS) attacks.
  - Vulnerabilities found in third-party applications or services not directly controlled by Yellow.ai.
  - Missing best practices in Content Security Policy.
  - Missing best practices in SSL/TLS configuration.
  - Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
  - Missing HttpOnly or Secure flags on cookies.
  - Information disclosure of public information.
  - Self-XSS (Cross-Site Scripting that only affects the user themselves).
  - Clickjacking on pages with no sensitive actions.
  - Previously known vulnerable libraries without a working Proof of Concept.
  - Rate limiting or brute force issues on non-authentication endpoints.
  - Social engineering (e.g., phishing, vishing, smishing).
  - Software version disclosure / Banner identification issues/headers, or public files (e.g., robots.txt).
  domains:
  - cloud.yellow.ai
  response_sla_days: 3
  reporting_url: https://yellow.ai/vulnerability-disclosure-program/ [Embedded Hackerone Submission Form]

- company: Zaakpay
  url: https://zaakpay.com/bug-bounty
  contact: mailto:vdp@zaakpay.com
  rewards:
  - '*bounty'
  program_type: bounty
  status: active
  preferred_languages: English
  description: If you believe that you have found security vulnerability or Bug on any of Zaakpay’s owned Website or Application, we encourage you to let us know straight away. Our Team will investigate all legitimate reports and do our best to quickly fix the problem.
  excluded_methods:
  - dos
  - social_engineering
  - phishing
  - physical_access
  - automated_scanning
  scope:
  - target: '*.zaakpay.com'
    type: web
  out_of_scope:
  - Issues related to software/application not under Zaakpay’s control or owned by some third party
  - Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  - Missing security headers which do not lead directly to a vulnerability
  - Clickjacking without an impact
  - Text Injection
  - Known-vulnerable library (without evidence of exploitability)
  - Spam & rate limiting
  - SSL/TLS protocol vulnerabilities
  - Best practice concerns will be reviewed, but in general, we require evidence of a vulnerability
  - Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  - The brute force of promo/coupon code
  - Social engineering attacks
  - Email/Phone number enumeration (user enumeration)
  - Any activity that could lead to the disruption of our service (DoS)
  - Open Redirection
  - Missing Security Headers
  domains:
  - '*.zaakpay.com'
  min_payout: 1000
  currency: INR
  response_sla_days: 1

- company: ZTE
  url: https://www.zte.com.cn/global/about/trust-center/ztepsirt.html
  contact: mailto:psirt@zte.com.cn
  rewards:
  - '*bounty'
  - '*recognition'
  program_type: hybrid
  status: active
  preferred_languages: English, Chinese
  description: ZTE PSIRT handles security vulnerabilities in ZTE products and solutions, with bug bounty rewards for qualifying reports.
  response_sla_days: 1
  standards:
  - ISO 29147
  - ISO 30111

- company: Zulip
  url: https://zulip.com/security/
  contact: mailto:security@zulip.com
  rewards:
  - '*recognition'
  program_type: vdp
  status: active
  safe_harbor: partial
  description: Zulip operates a private HackerOne vulnerability disclosure program, but also credits and rewards external reporters for issues in the self-hosted version. Security releases are published with CVE numbers and disclosed on the Zulip blog