To improve the reach of this vulnerability disclosure program, we just made it public.
Very much looking forward to the new exposure this gives us and our platform.
As usual, let us know if you have feedback on our rulebook, triage flow or program in general.
Happy hunting!
To reflect the increased maturity of the program, we've made the decision to improve the bounties we award! The new bounties are as follows:
Additionally, we will be writing about newly added features here on a regular basis, in an attempt to improve the 'hit rate' by highlighting platform components with a higher likelihood of security problems.
Thank you all for your support so far, and happy hacking!
First of all, thanks to the early adopters that have submitted issues in the last months. You've helped us immensely in getting the program up to speed!
We are now reasonably confident in amount of traffic we can expect, hence we are moving the confidentiality level to 'registered', effective immediately! We hope this will both increase the visibility of the program, and allow more researchers to participate.
Again, thanks to everyone who has helped us hit this milestone!
We're very pleased with the initial response to our bug bounty program: quite some interesting things have been identified already!
Now that we've gotten a bit more data regarding the amount of issues and their severity, we want to adjust our bug bounties to match:
We greatly appreciate the help we've gotten from researchers so far! Accordingly, we've compensated any previously awarded bounties to match the new amounts specified above.
Thank you all for your interest and helping improve our platform!
We're still here after our first week of bug bounty 🎉. Thanks to all of you participating so far.
One change we just made: we updated the domain list with specific for-hackers. prefixes as we found many (automatic) tools spamming our telemetry and bug reporting systems. With this change, it's easier for us to separate those reports. Know that these domains are simple CNAMEs to the real ones, and behavior should otherwise be identical! Please update your tools to use the new domains.
Lastly, for those who did not see this yet: we added our hidden web build of the app in scope at https://for-hackers.crispapp.nl/web-rn/. We hope this helps lower the barrier to start hacking right away! Since our real customers don't use this app, any client-side issues that do not occur in our native builds are capped to low severity.
Happy hacking and a good weekend to all!