Bug Bounty Program

Objective: The Flipsnack Bug Bounty Program aims to encourage security researchers, developers, and ethical hackers to identify and report potential security vulnerabilities in our platform. Our goal is to enhance the security of Flipsnack by partnering with the security community.

Program scope: The Bug Bounty Program covers security vulnerabilities in Flipsnack's web and mobile applications, APIs, and related infrastructure. Vulnerabilities that could impact the confidentiality, integrity, or availability of user data or the Flipsnack platform are eligible for this program.

Eligibility

  • The Bug Bounty Program is open to individual security researchers and professionals.
  • Participants must comply with all applicable local, state, and national laws.
  • Employees of Flipsnack, its subsidiaries, and family members of employees are not eligible to participate in this program.

Submission Guidelines

  • Submissions must include a detailed report of the vulnerability, steps to reproduce, and potential impact. Clear and concise explanations are necessary for a valid submission.
  • Provide a working proof of concept to demonstrate the vulnerability.
  • Do NOT publicly disclose the vulnerability until it has been resolved and you have received explicit permission from Flipsnack.
  • Only submit vulnerabilities that are your original work. Avoid submitting duplicates of previously reported vulnerabilities.
  • We do not promote or tolerate abusive behavior. Submissions from researchers who engage in violent, shaming, or harassing conduct will not be rewarded. We value respectful collaboration and a professional approach in all reports.

Out of Scope Vulnerabilities

  • Issues related to social engineering attacks.
  • Vulnerabilities in third-party services or software not owned by Flipsnack.
  • Denial of Service (DoS) attacks.
  • Issues that require physical access to the victim’s device.
  • Reports from automated tools or scans that do not demonstrate a specific vulnerability.

Reward Guidelines

The reward for a valid vulnerability is up to $500, depending on the severity and impact of the issue. Rewards are categorized as follows:

  • Critical 
  • High 
  • Medium 
  • Low 

The Flipsnack security team determines the reward amount based on the severity of the vulnerability, the quality of the report, and the impact on our platform.

Important Note: Not all submissions will result in a reward. If another researcher has already reported the vulnerability or was identified by our security team, it will not qualify for a reward. Additionally, the review process may take some time, depending on the complexity of the issue and the volume of submissions

Process

  1. Submit your report via our dedicated bug bounty platform or by emailing privacy@flipsnack.com.
    Please ensure that your vulnerability report includes a specific use case to help our team better understand and assess the issue.
  2. You will receive an acknowledgment of your submission within 48 hours.
  3. Our security team will validate the vulnerability, assess its impact, and review the specific use case. The review process will last up to 30 days.
  4. Once validated, we will work to resolve the issue as quickly as possible. You will be updated on the status throughout the process.
  5. After the vulnerability is resolved, the reward will be issued within 30 days.

Legal Safe Harbor

We will not pursue legal action against researchers who:

    • Adhere to the program rules and guidelines.
    • Make a good faith effort to avoid privacy violations, disruption of services, and destruction of data.
    • Provide us with sufficient time to resolve the issue before disclosing it publicly.

Program Terms

  • Flipsnack reserves the right to modify the terms of this program or discontinue it at any time without notice.
  • All decisions regarding the program, including reward eligibility and amount, are final and at the discretion of the Flipsnack security team.

Contact Information: For any questions or clarifications about the Bug Bounty Program, please contact privacy@flipsnack.com.

Last updated on October 1, 2024