Security Exploit Bounty Program
Responsible Disclosure
Security is of utmost importance to Noticeable. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Noticeable. Principles of responsible disclosure include, but are not limited to:
Access or expose only customer data that is your own.
Do not exfiltrate data from our infrastructure (including source code, data backups, configuration files).
If you obtain remote access to our system, report your finding immediately. Do not attempt to pivot to other servers or elevate access.
Avoid scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site). This includes the spamming of contact forms, support emails, etc.
Keep within the guidelines of our Terms of Service.
Keep details of vulnerabilities secret until Noticeable has been notified and had a reasonable amount of time to fix the vulnerability.
In order to be eligible for a bounty, your submission must be accepted as valid by Noticeable. We use the following guidelines to determine the validity of requests and the reward compensation offered.
Reproducibility
We must be able to reproduce the security flaw from your report. Reports that include clearly written explanations and working code are more likely to garner rewards.
Reports that are too vague or unclear are not eligible for a reward.
Reports we're interested in
Tampering with data of other users.
Bypassing our API's security.
Server-side code execution.
Examples of Non-Qualifying exploits
Denial of service attacks.
Social engineering.
Reports we don't want
SSL or DNS best practices (DNSSEC, CAA)
Email spoofing, SPF, DMARC & DKIM
Mass submitting form
Rewards
Rewards are free subscriptions or discounts to one of our plans based on the severity.
Only 1 bounty will be awarded per vulnerability.
If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
Contact
Please email us at security@noticeable.io with any vulnerability reports or questions about the program. Please report each new bug in a separate email thread.
Updated on: 04/09/2022
Thank you!