We accept bug reports for security vulnerabilities into our website and mobile apps, and try to reward researchers who find unique and original bugs in our website or apps.
Payouts are determined on a case-by-case business. We are a small company with a limited budget so you won't find any million-dollar bounties here, in fact the payout may be quite small, but we'll do our best.
Try to be considerate when testing. We want to know if there's an exploitable problem, but we don't want our systems harmed. With this in mind:
- Do not access data that that doesn't belong to you. If you discover data that doesn't belong to you, do not look further, this is enough to report the bug.
- Do not engage in Denial-of-Service or flooding/bombing attacks. If testing for vulnerabilities where our software or services may be used to carry out a Denial-of-Service or flooding/bombing please limit any testing or demonstration to 10 actions.
Inclusions and Exclusions
Included in Scope
The following URLs apps and URLs are considered to be in scope:
- Our Android App
- Our iOS App
The following issues are outside the scope of our bug bounty program:
- CSRF for non-significant actions (logout, etc.)
- Clickjacking attacks without a documented series of clicks that produce a vulnerability
- Spam (including issues related to SPF/DKIM/DMARC)
- Denial-of-service attacks or issues related to rate limiting
- Attacks that require social engineering (phishing)
- Content injection, such as reflected text or HTML tags
- Missing HTTP headers, except as where their absence fails to mitigate an existing attack
- Authentication bypasses that require access to software/hardware tokens
- Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation)
- Assumed vulnerabilities based upon version numbers only
- Outdated software alone will not be considered to be vulnerable unless you can point to a known vulnerability with the current software version, (provide a CVE number), or demonstrate a vulnerability that exists because of the software version.
- All domain names and apps other than those mentioned in the "Included in Scope" section above.
- All systems not owned by 4RoadService, (don't attack our hosting or service providers, to through their bug bounty programs if they exist).
If you find something that is out of scope we are still interested in hearing about it, but there won't be a payout.
Submitting a Bug Report
If you find a bug, please report it on our contact form and select "Security" for the "This message is about" field. Once you have reported the bug we will verify that it is reproducible and get in touch to let you know our next steps. Generally a bounty will only be paid once a bug is fixed.
What should a bug report look like?
The information in a bug report should describe the attack scenario and include step-by-step reproduction steps, and the impact of the bug. Mozilla has a great sumary of what an attack scenario and reproduction steps should look like, please refer to them when submitting any bugs.
Last update: March 26 2020. 8:41 PM EST.