Bug Bounty Program

Bitski [Out There Labs Inc.] recognizes the importance of the security community in keeping our products and our customers safe. Maintaining the security of our applications, networks, and services is a high priority for us and we thank you in advance for your contributions to our vulnerability disclosure program. If you believe you've found a security issue in our product or service, we encourage you to submit a vulnerability report.

Any vulnerability submitted under this policy will be used to improve the security and user experience of Bitski users. A valid report is one that clearly demonstrates the vulnerability that affects Bitski and its users.

Disclosure Policy

  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
  • Please do not profit from or allow any other party to profit from a vulnerability outside of Bug Bounty Program payouts.
  • Any information you receive or collect about Bitski user through the Bug Bounty Program (“Confidential Information”) must be kept confidential. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain while researching Bitski assets, without Bitski's consent.

Program Guidelines

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Please provide detailed reports with reproducible steps so that it is easy for our team to evaluate the report, fix issues and reward in a speedy manner. The vulnerabilities must be reproducible and your report should contain steps to reproduce.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Please combine vulnerability reports that have the same underlying cause in a single report.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Bitski and our users safe!

Scope of Research

  • *.bitski.com
  • https://www.bitski.com/
  • https://outtherelabs.com/
  • Bitski SDKs

Out of Scope

While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming or Abuse
  • Clickjacking attacks against Bitski users
  • Phishing attacks against Bitski users
  • Vulnerabilities that involve rate limiting or resource exhaustion
  • Social Engineering against Bitski/Out There Labs employees
  • Any physical attempts against Bitski/Out There Labs property or data centers
  • Known vulnerabilities in third party services that are used in Bitski products and services

Bounties

Impact CategoryBounty AmountExamples
Critical$1500Account takeover, Remote code execution, Unrestricted file system/database access, flaws that leak user information, sign in on behalf of user from different domain.
High$750Privilege Escalation, Scope escalation, Bugs that circumvent significant security controls, Cmd injection, Auth Bypass
Medium$200CSRF, URL redirect, Direct object references
Low$100Same Origin, XSS - limited impact, SSL misconfigurations/certificates - limited impact

Response Target

We take vulnerability reports very seriously, and will do our best to respond as soon as possible. We will respond on initial report submission and upon completion of prior stage. Below is our expected response times for each stage by category.

Average response timeCritical/HighMedium/Low
First Response3 business days5 business days
Triage10 business days10 business days
Bounty Rewarded20 business days from triage30 business days from triage
Resolution30 business days from triage60 business days from triage

Ready to report a vulnerability?

Please fill out our Vulnerability Report Template and submit it to us at security@bitski.com.