Bug Bounty & Vulnerability Research Program

Bug Bounty Program Scope

This program covers security issues pertaining to services provided by us at ui.honeycomb.io and api.honeycomb.io, including:

  • web application vulnerabilities such as XSS, CSRF, SQLi,
  • authentication issues
  • authorization issues
  • remote code execution

This program excludes (regardless of coverage indicated above):

  • Any issues related to www.honeycomb.io or info.honeycomb.io
  • social engineering
  • WordPress “issues” such as xmlrpc that are mitigated by our hosting provider
  • out-of-date browsers and plugins
  • vulnerabilities in 3rd party applications that do not directly affect our data or service
  • issues already known by us or previously reported to us by others
  • issues that we have determined to be of acceptable risk

In addition to being out of scope, the following are ineligible for a reward, and may result in a ban of your IP from our service and a ban from our bug bounty program:

  • Denial of service (DoS) attacks, or attacks that produce excessive amounts of traffic
  • Testing rate limiting
  • Using automated tooling in such a way that produces excessive amounts of traffic
  • Spam of any kind
  • Engagement with our support team as a part of your report

Threshold Severity

There are no rewards for security issues that are trivial or broadly applicable to every service, such as:

  • Lack of password length restrictions
  • Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
  • Self-XSS
  • Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim’s device(s)
  • CSRF
  • User existence/enumeration vulnerabilities
  • Password complexity requirements
  • Insecure cookie settings for non-sensitive cookies
  • Bugs requiring exceedingly unlikely user interaction
  • Reports from automated tools or scans (without accompanying demonstration of exploitability)
  • Text-only injection in error pages
  • Automatic hyperlink construction by 3rd party email providers
  • Using email mutations (+, ., etc) to create multiple accounts for a single email


Your behavior

We only work with responsible disclosure and responsible parties. Your responsible behavior includes:

  • Giving us reasonable time to investigate and mitigate your issue before using or sharing the information with others.
  • Not interacting with our other users or accounts without their explicit consent, provided with full knowledge of your objectives.
  • Avoiding all privacy violations and any disruption of service to other users and accounts.
  • No exploitation of any security risk you discover, including additional demonstrations of the same risk.
  • Providing your real name, proof of identity if requested, and non-cash payment method to you.
  • Compliance with all applicable laws and regulations.


Vulnerability Research Submissions

Submit your report to security@honeycomb.io



All rewards are at our discretion. We attempt to align any award appropriately with the severity of the security risk.