We encourage responsible disclosure of security vulnerabilities through this bug bounty program. This document attempts to cover the most anticipated basic features of our policy; however the devil is always in the details, and it is not practical to cover every conceivable detail in advance. Whenever there is any room for interpretation or judgment, we will rely on our own discretion, informed by the circumstances and your actions.
This program covers security issues pertaining to services provided by us at honeycomb.io, including:
- web application vulnerabilities such as XSS, CSRF, SQLi,
- authentication issues
- authorization issues
- remote code execution
This program excludes (regardless of coverage indicated above):
- social engineering
- WordPress “issues” such as xmlrpc that are mitigated by our hosting provider
- out-of-date browsers and plugins
- vulnerabilities in 3rd party applications that do not directly affect our data or service
- spam of any kind
- denial of service attacks
- issues already known by us or previously reported to us by others
- issues that we have determined to be of acceptable risk
There are no rewards for security issues that are trivial or broadly applicable to every service, such as:
- Lack of password length restrictions
- Merely showing that a page can be iFramed without finding a link on the page to be click-jacked.
- Vulnerabilities which involve privileged access (e.g. rooting a phone) to a victim’s device(s)
- Logout CSRFUser existence/enumeration vulnerabilities
- Password complexity requirements
- Insecure cookie settings for non-sensitive cookies
- Bugs requiring exceedingly unlikely user interaction
- Reports from automated tools or scans (without accompanying demonstration of exploitability)
- Text-only injection in error pages
- Automatic hyperlink construction by 3rd party email providers
- Using email mutations (+, ., etc) to create multiple accounts for a single email
We only work with responsible disclosure and responsible parties. Your responsible behavior includes:
- Giving us reasonable time to investigate and mitigate your issue before using or sharing the information with others.
- Not interacting with our other users or accounts without their explicit consent, provided with full knowledge of your objectives.
- Avoiding all privacy violations and any disruption of service to other users and accounts.
- No exploitation of any security risk you discover, including additional demonstrations of the same risk.
- Providing your real name, proof of identity if requested, and non-cash payment method to you.
- Compliance with all applicable laws and regulations.
Submit your report to firstname.lastname@example.org
All rewards are at our discretion. We attempt to align any award appropriately with the severity of the security risk.