Bounty Program

Apolloversity Incorporated DBA Next Tech ("we") offers a monetary reward for reports of security vulnerabilities. Reward amounts will vary based on the severity of the reported vulnerability, and we have the sole discretion to decide who is eligible for the reward. The higher the severity, the higher the payout. Payouts range from $25 to $100, although we may pay up to $250 for an extremely severe issue.

Usually, we'll reward the first researcher who reports a particular security issue, and only when we make a code or system change in response to that report. We may decide to pay more than one researcher for duplicate reports if we’re impressed by the research and the quality of the reports.

A good quality report consists of:

  • Proof of concept (POC)

  • Suggested fix(es)

All research must comply with our Terms of Service.

In Scope

You may research and report on any of the following:

  • Remote Code Execution (RCE)

  • Price manipulation

  • Bypassing payment options

  • Account takeover

  • Subdomain takeover

  • Cross-site Scripting (XSS)

  • Cross-site Request Forgery (CSRF)

  • Server-Side Request Forgery (SSRF)

  • SQL Injection

  • XML External Entity Attacks (XXE)

  • Access Control Issues (Insecure Direct Object Reference issues, etc)

  • Directory traversal issues

  • Local File Disclosure (LFD)

  • Authorization issues

  • Information leak

Out of Scope

  • Presence or absence of SPF/DMARC records

  • Clickjacking on static pages

  • CSRF on forms that are available to anonymous users (e.g. the contact form)

  • Login and logout CSRF issues

  • Self XSS which are not exploitable

  • Usage of a known vulnerable library (without evidence of exploitability)

  • Vulnerabilities affecting users of outdated browsers and platforms

  • Attacks requiring physical access to a user's device

  • Presence of autocomplete attribute on web forms

  • Missing cookie flags on non-sensitive cookies

  • Disclosure of known public files or directories, (e.g. robots.txt)

  • Reports of insecure SSL/TLS ciphers (unless you have a working POC, and not just a report from a scanner)

  • Issues caused by the use of our browser-based development environment

If there is anything in the list above that you think could potentially impact our platform, don’t hesitate to report it with a good POC. We’ll reward you if we’re convinced that we need to change our code, even if it’s a minor issue.

The following is strictly prohibited and will result in a total ban:

  • Denial of service attacks

  • Spamming

  • Social engineering (including phishing) targeting our staff, contractors, or users

  • Accessing our internal data

  • Usage of automated scanners

Disclosure Policy

When you discover a security issue, please let us know as soon as possible, and we’ll resolve it as quickly as we can. Do not disclose any security issues to the public. You can email us directly at [email protected].

If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, please let us know in your report.

Do not overexploit any security issue and access internal data for further vulnerabilities.