To ensure the highest security for our customer data, SpamHero has a bug bounty program. Therefore, the type of vulnerabilities that qualify for a bounty reward are the type that could put our customer's data at risk.
If you are new to our bug bounty program, first read the rules below. Before you begin testing, please open an email ticket so that we can provide you with the criteria for receiving bounty rewards. Reports that do not meet our criteria will not receive a reward.
The following rules must be followed to qualify for a bounty reward:
- Do not download or view any private customer data.
- Do not share the vulnerability with others.
- Our blog, blog.spamhero.com, is not participating in the bug bounty program.
- Reports should be submitted in plain text. While supporting screenshots or video may be attached to the message, any reports included via an attached .doc, .pdf, or other type of file will be ignored.
- If we received too many bogus reports from you, we may not be able to process reports from you in the future. Bogus reports are defined as "vulnerabilities" or "bugs" that can not be used to actually expose our customer data. Keep in mind that we have several layers of protection and that website scanners will produce some false positives.
- Due to the large number of bogus reports we receive, please allow up to two weeks for our team to process your findings. Requests for updates before 2 weeks have passed may disqualify you from receiving any rewards.
- Because low risk bugs do not put customer data at risk, they do not qualify for a reward, even if we end up fixing the bug.
- Payments can only be made via PayPal. You must have a PayPal account to receive a reward.
How to submit a report
If you feel you have found an important vulnerability, please open an email ticket that includes the following things:
- A description of the vulnerability, including the perceived severity.
- Steps to reproduce the issue.
- Optionally, you can include your recommendation on a fix.