.webp)
-min.webp)
.svg){kind=icon}
.svg)
.svg)
.svg){kind=icon}
.svg)
.svg)
1. Objective
The Bug Bounty Program aims to enhance the security of our services and Survicate tool by incentivizing security researchers and ethical hackers to report potential security vulnerabilities responsibly, to improve the security for all users by eliminating vulnerabilities.
2. Requirements
- Participants must not publicly disclose the reported vulnerability.
- You must be at least 18 years old and possess full legal capacity.
- Current or former employees of Survicate (or families of those) are excluded.
- Abide by all relevant legal and ethical guidelines.
- Reported in good faith and must not involve any malicious intent; refrain from any actions that may be considered invasive.
- Efforts made to attempt to gather information about vulnerabilities are not rewarded.
- You are not an individual from countries subject to sanctions.
3. Scope of the Program
- Survicate Bug Bounty Program covers all online services and applications provided by Survicate SA,
- in scope hosts:
- in scope apps:
- iOS SDK
- Android SDK
- React Native SDK
- Flutter SDK
- JavaScript SDK
- Panel - panel.survicate.com
- Data Export API v2 only
- Webhooks
All domains and endpoints not listed in the targets section are out of scope.
4. Out of Scope
Vulnerabilities in the following areas are out of scope and will not be eligible for Rewards:
- Vulnerabilities in third-party applications or libraries that are not developed by Survicate.
- Exploitation of known vulnerabilities that depend on outdated user software, such as outdated browsers or operating systems.
- Attacks such as Distributed Denial of Service (DDoS).
- Vulnerabilities related to third-party APIs.
- Brute-force attacks to uncover credentials.
- Issues involving social engineering, phishing, or other tactics unrelated to the technical security of Survicate's systems.
- Issues with DNS records (SPF, DKIM, DMARC) or SSL/TLS certificate configuration.
- Low-severity vulnerabilities such as content spoofing or OWASP Low category issues.
- Cross-Site Request Forgery (CSRF) vulnerabilities on non-sensitive areas of the platform.
- Discovery of publicly available information that does not pose a security threat.
- Security issues stemming from misconfigured external services or infrastructure not directly controlled by Survicate.
- enumeration of accounts and other resources,
- e-mail flooding/bombing
- Vulnerabilities that have been independently detected by Survicate or reported as part of other report submissions of the same or similar nature. Similarity means the use of the same or a similar methodology or pattern, or if the mitigation measures previously applied or planned by Survicate (in the context of other vulnerabilities) will also secure the reported vulnerability.
- Circumventing business plan limits defined in Survicate's pricing and using features without paying for them, including Paywall Bypass attacks.
5. Reporting Procedure
- Vulnerabilities must be reported via email to security@survicate.com.
- Reports should include
- detailed information about the Vulnerability,
- steps to reproduce the issue, and
- potential security impact.
- Survicate may request additional information or proof of concept.
- Survicate will respond to the reporter within 30 business days.
6. Rewards
- Rewards will be determined by the Survicate based on the severity of the Vulnerability and its impact on the security of Survicate systems.
- Critical: up to PLN 5,000 or proper equivalent in USD
- High: up to PLN 2,000 or proper equivalent in USD
- Medium: up to PLN 1,000 or proper equivalent in USD
- Low: up to PLN 100 or proper equivalent in USD
- Amounts are determined based on the 'CVSS Methodology' as an individual assessment in specific cases.
- Receive a Reward if You are the first to report the specific vulnerability. If the vulnerability has already been reported by someone else who received a reward, no additional Reward will be granted
- The Reward pool is limited.
