Zaprite has introduced a bug bounty program to encourage developers, ethical hackers and the security community at large to help us find and track vulnerabilities in our platform. If you have discovered a security issue that you believe we should know about, we would welcome working with you.
We have outlined below some initial information around disclosure types, rewards and definitions, which we will continually review and update as we grow.
All rewards will be paid in bitcoin. Upon bounty confirmation, all payment requests must be submitted through Zaprite’s invoicing platform.
Disclosure Types & Rewards
Disclosure of a critical vulnerability:
200$ (paid in bitcoin)
Disclosure of a severe vulnerability:
100$ (paid in bitcoin)
Disclosure of minor bug:
TBD (see definition)
Definition of “critical vulnerability”
A critical vulnerability is something which can be used to create a Denial Of Service (DOS) to all or at least a significant portion of our users. A denial of service is anything which prevents users from using the platform to perform the basic actions for which Zaprite was designed, namely creating invoices and sending them to clients. If a critical vulnerability were to be leveraged against Zaprite, it would become all ‘all hands on deck’ situation and remain the only priority until resolved.
Definition of “severe vulnerability”
A severe vulnerability is something which can be used to create either a partial Denial Of Service (pDOS) or a Resource Depletion Attack (RDA). A pDOS constitutes a denial of service for some number of users which is deemed non-critical. An RDA constitutes an attack where Zaprite faces elevated costs due to, but not limited to, infrastructure over-usage. If a severe vulnerability was leveraged against Zaprite, it would become a top priority, but not necessarily an ‘all hands on deck’ situation.
Definition of “minor bug”
A minor bug is anything that does not fit the above definitions. They are likely to remain unaddressed unless they are determined to pose a greater threat or are found to directly decrease the quality of the User Experience on the platform. There is no set bounty reward. If they are later escalated to “severe” or “critical”, the respective rewards would be allocated. If a number of minor bugs are reported and found to lead to material improvements to Zaprite then a reward could be allocated on a case by case basis or the bug reporter could be given a free subscription to Zaprite.
Please send all submissions and questions to firstname.lastname@example.org and we review and respond as quickly as possible. Please bear with us—we are a small team!
Note: We do not consider ‘click-jacking’ to be a vulnerability in our code. Do not send click-jacking reports. You will not receive a response.
This is meant to serve as a guide for our bug bounty program which is sure to evolve over time. We are a young company with no material revenue today, and having the community participate in this program could mark the beginning of a long, fruitful relationship.