Serpstat White Hat Bounty Program
We value and reward security experts who report vulnerabilities in our services, thereby helping us ensure the security of our users.
If you think that you have discovered a vulnerability in our service, please immediately inform us of this. We will review all reports and do our best to quickly fix the issue. Before reporting an issue, review the content of this document, including explanations of the responsible disclosure policy, reward policy, and scope of the program.
To be able to receive a reward, it is necessary to fulfil the following requirements:
- Adhere to a responsible disclosure policy (see above).
- Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk.
- Remember that the degree of risk is determined by Serpstat and many software issues do not create security vulnerabilities.
If during the investigation of the vulnerability you inadvertently violated the confidentiality or work of other people (for example, you gained access to account data, service configurations or other confidential information), you must indicate this in your report.
When researching vulnerabilities, use test accounts. If you cannot reproduce the issue using a test account, use a real one (but not for automated testing). Do not interact with other accounts without the consent of their owners.
Please send your report to firstname.lastname@example.org
The maximum reward amount is $100 or a paid subscription to Serpstat services for an equivalent amount.
For the identification of issues with a very low level of risk, a reward may not be provided at all. One reward is paid only to one person.
We verify that all bounty rewards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.
(For example, SQLi, XSS, open transitions and permission bypass vulnerabilities (such as IDOR) are completely excluded from the program.) Also, you are not allowed to access data or use any access token of any Serpstat account, except your own.