Bug Bounty Program

Table of contents

1. Objective

The Bug Bounty Program aims to enhance the security of our services and the Survicate tool by incentivizing security researchers and ethical hackers to report potential security vulnerabilities responsibly, improving the security for all users by eliminating vulnerabilities. 

This Program is competitive in nature. Submissions are assessed against each other for quality, impact and usefulness, and only selected submissions may receive a monetary reward. Participation or submission of a report does not guarantee a reward.

2. Requirements

  1. Participants must not publicly disclose the reported vulnerability.

  2. You must be at least 18 years old and possess full legal capacity.

  3. Current or former employees of Survicate (or families of those) are excluded.

  4. You must abide by all relevant legal and ethical guidelines. 

  5. Reports must be made in good faith and must not involve any malicious intent; refrain from any actions that may be considered invasive.

  6. Efforts to gather information about vulnerabilities are not rewarded, meaning that simply dedicating time without delivering tangible results is not sufficient for recognition.

  7. You must not be an individual from countries subject to sanctions by the Republic of Poland, Great Britain, the European Union, the United States, or Australia.

  8. Participants are responsible for providing all necessary tools and resources. Participation in the Program is entirely at your own cost and risk.


3. Scope of the Program

  1. The Survicate Bug Bounty Program covers all online services and applications provided by Survicate SA,

    1. in-scope hosts:

      1. panel.survicate.com

      2. panel-api.survicate.com

      3. survey.survicate.com

      4. surveys-static.survicate.com

      5. surveys-static-prd.survicate-cdn.com

      6. respondent.survicate.com

    2. in-scope apps:

      1. iOS SDK

      2. Android SDK

      3. React Native SDK

      4. Flutter SDK

      5. JavaScript SDK

      6. Panel - panel.survicate.com 

      7. Data Export API v2 only

      8. Webhooks

  2. Third‑party integrations and external services not directly controlled by Survicate are excluded from the Program.


Any domains and endpoints not listed in the targets section are out of scope.

4. Out of Scope 

Vulnerabilities in the following areas are out of scope and will not be eligible for Rewards:

  1. Vulnerabilities in third-party applications or libraries that are not developed by Survicate.

  2. Exploitation of known vulnerabilities that depend on outdated user software, such as outdated browsers or operating systems.

  3. Attacks such as Distributed Denial of Service (DDoS).

  4. Vulnerabilities related to third-party APIs.

  5. Brute-force attacks to uncover credentials.

  6. Issues involving social engineering, phishing, or other tactics unrelated to the technical security of Survicate's systems.

  7. Issues with DNS records (SPF, DKIM, DMARC) or SSL/TLS certificate configuration.

  8. Low-severity vulnerabilities such as content spoofing or OWASP Low category issues.

  9. Cross-Site Request Forgery (CSRF) vulnerabilities on non-sensitive areas of the platform.

  10. Discovery of publicly available information that does not pose a security threat.

  11. Security issues stemming from misconfigured external services or infrastructure not directly controlled by Survicate.

  12. Enumeration of accounts and other resources.

  13. E-mail flooding/bombing.

  14. Vulnerabilities that have been independently detected by Survicate or reported as part of other report submissions of the same or similar nature. Similarity means the use of the same or a similar methodology or pattern, or if the mitigation measures previously applied or planned by Survicate (in the context of other vulnerabilities) will also secure the reported vulnerability.

  15. Circumventing business plan limits defined in Survicate's pricing and using features without paying for them, including paywall bypass attacks.

5. Reporting Procedure

  1. Vulnerabilities must be reported via email to bugbounty@survicate.com.

  2. Reports should include 

    1. detailed information about the Vulnerability, 

    2. steps to reproduce the issue, and 

    3. potential security impact. 

  3. Survicate may request additional information or proof of concept. 

  4. Survicate will respond to the reporter within 30 business days. 

6. Rewards

  1. Rewards will be determined by Survicate based on the severity of the vulnerability and its impact on the security of Survicate systems. Rewards are denominated in USD and payable in USD only.

  • Critical: up to USD 1,300 

  • High: up to USD 550 

  • Medium: up to USD 250 

  • Low: up to USD 25 

  1. Amounts are determined based on the 'CVSS Methodology' as an individual assessment in specific cases; Survicate uses CVSS but reserves the right to make an individual assessment.

  2. You will receive a Reward if you are the first to report the specific vulnerability. If the vulnerability has already been reported by someone else who received a reward, no additional Reward will be granted.

  3. The Reward pool is limited and, due to the competitive nature of the Program, only selected submissions may receive a reward.


7. Survicate Bug Bounty Program - Full Terms and Conditions

DOWNLOAD