Bug Bounty Program
Bitski [Out There Labs Inc.] recognizes the importance of the security community in keeping our products and our customers safe. Maintaining the security of our applications, networks, and services is a high priority for us and we thank you in advance for your contributions to our vulnerability disclosure program. If you believe you've found a security issue in our product or service, we encourage you to submit a vulnerability report.
Any vulnerability submitted under this policy will be used to improve the security and user experience of Bitski users. A valid report is one that clearly demonstrates the vulnerability that affects Bitski and its users.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Please do not profit from or allow any other party to profit from a vulnerability outside of Bug Bounty Program payouts.
- Any information you receive or collect about Bitski user through the Bug Bounty Program (“Confidential Information”) must be kept confidential. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain while researching Bitski assets, without Bitski's consent.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Please provide detailed reports with reproducible steps so that it is easy for our team to evaluate the report, fix issues and reward in a speedy manner. The vulnerabilities must be reproducible and your report should contain steps to reproduce.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Please combine vulnerability reports that have the same underlying cause in a single report.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Bitski and our users safe!
Scope of Research
- Bitski SDKs
Out of Scope
While researching, we'd like to ask you to refrain from:
- Denial of service
- Spamming or Abuse
- Clickjacking attacks against Bitski users
- Phishing attacks against Bitski users
- Vulnerabilities that involve rate limiting or resource exhaustion
- Social Engineering against Bitski/Out There Labs employees
- Any physical attempts against Bitski/Out There Labs property or data centers
- Known vulnerabilities in third party services that are used in Bitski products and services
|Impact Category||Bounty Amount||Examples|
|Critical||$1500||Account takeover, Remote code execution, Unrestricted file system/database access, flaws that leak user information, sign in on behalf of user from different domain.|
|High||$750||Privilege Escalation, Scope escalation, Bugs that circumvent significant security controls, Cmd injection, Auth Bypass|
|Medium||$200||CSRF, URL redirect, Direct object references|
|Low||$100||Same Origin, XSS - limited impact, SSL misconfigurations/certificates - limited impact|
We take vulnerability reports very seriously, and will do our best to respond as soon as possible. We will respond on initial report submission and upon completion of prior stage. Below is our expected response times for each stage by category.
|Average response time||Critical/High||Medium/Low|
|First Response||3 business days||5 business days|
|Triage||10 business days||10 business days|
|Bounty Rewarded||20 business days from triage||30 business days from triage|
|Resolution||30 business days from triage||60 business days from triage|