Security

Bounty Program

Apolloversity Incorporated DBA Next Tech ("we") offers a monetary reward for reports of security vulnerabilities. Reward amounts will vary based on the severity of the reported vulnerability, and we have the sole discretion to decide who is eligible for the reward. The higher the severity, the higher the payout. Payouts range from $25 to $100, although we may pay up to $250 for an extremely severe issue.
Usually, we'll reward the first researcher who reports a particular security issue, and only when we make a code or system change in response to that report. We may decide to pay more than one researcher for duplicate reports if we’re impressed by the research and the quality of the reports.
A good quality report consists of:
    Proof of concept (POC)
    Suggested fix(es)
All research must comply with our Terms of Service.

In Scope

You may research and report on any of the following:
    Remote Code Execution (RCE)
    Price manipulation
    Bypassing payment options
    Account takeover
    Subdomain takeover
    Cross-site Scripting (XSS)
    Cross-site Request Forgery (CSRF)
    Server-Side Request Forgery (SSRF)
    SQL Injection
    XML External Entity Attacks (XXE)
    Access Control Issues (Insecure Direct Object Reference issues, etc)
    Directory traversal issues
    Local File Disclosure (LFD)
    Authorization issues
    Information leak

Out of Scope

    Presence or absence of SPF/DMARC records
    Clickjacking on static pages
    CSRF on forms that are available to anonymous users (e.g. the contact form)
    Login and logout CSRF issues
    Self XSS which are not exploitable
    Usage of a known vulnerable library (without evidence of exploitability)
    Vulnerabilities affecting users of outdated browsers and platforms
    Attacks requiring physical access to a user's device
    Presence of autocomplete attribute on web forms
    Missing cookie flags on non-sensitive cookies
    Disclosure of known public files or directories, (e.g. robots.txt)
    Reports of insecure SSL/TLS ciphers (unless you have a working POC, and not just a report from a scanner)
    Issues caused by the use of our browser-based development environment
If there is anything in the list above that you think could potentially impact our platform, don’t hesitate to report it with a good POC. We’ll reward you if we’re convinced that we need to change our code, even if it’s a minor issue.
The following is strictly prohibited and will result in a total ban:
    Denial of service attacks
    Spamming
    Social engineering (including phishing) targeting our staff, contractors, or users
    Accessing our internal data
    Usage of automated scanners

Disclosure Policy

When you discover a security issue, please let us know as soon as possible, and we’ll resolve it as quickly as we can. Do not disclose any security issues to the public. You can email us directly at [email protected].
If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, please let us know in your report.
Do not overexploit any security issue and access internal data for further vulnerabilities.
Last modified 1yr ago