Apolloversity Incorporated DBA Next Tech ("we") offers a monetary reward for reports of security vulnerabilities. Reward amounts will vary based on the severity of the reported vulnerability, and we have the sole discretion to decide who is eligible for the reward. The higher the severity, the higher the payout. Payouts range from $25 to $100, although we may pay up to $250 for an extremely severe issue.
Usually, we'll reward the first researcher who reports a particular security issue, and only when we make a code or system change in response to that report. We may decide to pay more than one researcher for duplicate reports if we’re impressed by the research and the quality of the reports.
A good quality report consists of:
Proof of concept (POC)
All research must comply with our Terms of Service.
You may research and report on any of the following:
Remote Code Execution (RCE)
Bypassing payment options
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
Server-Side Request Forgery (SSRF)
XML External Entity Attacks (XXE)
Access Control Issues (Insecure Direct Object Reference issues, etc)
Directory traversal issues
Local File Disclosure (LFD)
Presence or absence of SPF/DMARC records
Clickjacking on static pages
CSRF on forms that are available to anonymous users (e.g. the contact form)
Login and logout CSRF issues
Self XSS which are not exploitable
Usage of a known vulnerable library (without evidence of exploitability)
Vulnerabilities affecting users of outdated browsers and platforms
Attacks requiring physical access to a user's device
Presence of autocomplete attribute on web forms
Missing cookie flags on non-sensitive cookies
Disclosure of known public files or directories, (e.g. robots.txt)
Reports of insecure SSL/TLS ciphers (unless you have a working POC, and not just a report from a scanner)
Issues caused by the use of our browser-based development environment
If there is anything in the list above that you think could potentially impact our platform, don’t hesitate to report it with a good POC. We’ll reward you if we’re convinced that we need to change our code, even if it’s a minor issue.
The following is strictly prohibited and will result in a total ban:
Denial of service attacks
Social engineering (including phishing) targeting our staff, contractors, or users
Accessing our internal data
Usage of automated scanners
When you discover a security issue, please let us know as soon as possible, and we’ll resolve it as quickly as we can. Do not disclose any security issues to the public. You can email us directly at firstname.lastname@example.org.
If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, please let us know in your report.
Do not overexploit any security issue and access internal data for further vulnerabilities.