Bug Bounty Program

This document provides the terms for a bug bounty program for those individual researchers in the security community that provide contributions to manage the security of our systems in support of our users. Please note this is an interim program and is subject to modification, updates and cancellation as we develop our program. Until such time as we develop and publish our program, we require researchers to abide by the terms of this document. If you follow terms outlined below, we will not initiate or recommend legal or other action against you in response to your report.

What we expect from you

• You must give us reasonable time to investigate, confirm and mitigate an issue you report to us before you make public any information about any vulnerabilities from your report.
• You must not disclose a vulnerability without our formal consent.
• You must not access data for accounts that you do not own.
• You must make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data.
• You must make a good faith effort to avoid attacks that interrupt or degrade our services. DDoS/spam attacks are not covered by this program.
• You must not conduct non-technical attacks such as phishing, social engineering or physical attacks against our employees, customers or infrastructure.
• You must not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
• You are not eligible if you are an employee or contractor of us or our affiliates, or an immediate family member of a person employed or contracted by us or our affiliates, or less than 18 years old.

What can you expect from us

• We will respond as quickly as possible to your initial report.
• Due to complexity and other factors, some vulnerabilities will require longer to address. In these cases, the vulnerability may need to remain non-public for a longer time to ensure that our engineering team has an adequate amount of time to address the vulnerability.
• We will let you know when the issue is fixed and when you can disclose it publicly.
• We will not take legal action against you if you have acted in good faith.

Good Faith Vulnerability Research and Disclosure

You must act in good faith when investigating and reporting vulnerabilities to us. Acting in good faith includes:

Upholding the terms listed here. Failure to abide by the terms set forth here could result in non-payment and/or legal action if warranted.

Respect our users’ privacy. You should only interact with accounts that you own, or with explicit permission from the account holder. If you encounter user information that you do not have permission to access during the course of your research, you must:

• Stop immediately. Any further action is unauthorized by this program.
• Report access to user information immediately to our Team
• Do not use, save, copy, store, transfer, disclose or otherwise retain any such information
• Cooperate and work with us on further requests from us

No extortion. Any vulnerability reporting should be done with no conditions or strings attached. ConfigCat reserves the right to determine what we believe to be a reasonable payout for your efforts, and pay you based on our standards outlined below. Any attempt at extortion or ransom may result in legal action.

Do no harm. You should never leave a system in a more vulnerable state than you found it. This means you should not be conducting testing or other activities that degrades, damages, destroys, or harms information within our systems or otherwise impacts our users.

Services In Scope

• configcat.com
• *.configcat.com

Services Out Of Scope

Certain services are not within the scope of this bug bounty program. If a service is not expressly identified as within scope, you should assume it is out of scope. If you require further clarification on what services are within the scope of this bug bounty program, you should ask our Team if you have any questions. Services that are not within the scope of this bug bounty program include, but are not limited to:

• Social media accounts run by ConfigCat.
• Status pages (e.g. status.configcat.com).
• The Contact Us page.
• The DEMO booking functionality.

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for this program. Common examples include:

• Authentication or authorization bugs.
• Remote code execution.
• SQL injection.
• XSS (Cross-site scripting).
• CSRF (Cross-site request forgery).

Report qualifying vulnerabilities through our contact form.

Non-technical vulnerabilities such as DDoS, phishing, breaking and entering are not qualified for our bounty program.

Non-qualifying Vulnerabilities

The following is a list of bugs that typically don’t qualify for bug bounties, however, this list is not exhaustive or definitive.

• Already known vulnerabilities.
• Bugs that do not affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari).
• Bugs related to browser extensions are out of scope.
• Bugs requiring very unlikely user interaction or remote edge cases of user activity.
• Disclosure of public information and information that does not present significant risk.
• Bugs that have already been submitted by another user, that we are already aware of, or that are classified as ineligible by ConfigCat.
• Source code disclosures, as most of our code is open source.
• CSRF for non-significant actions (logout, etc.)
• Clickjacking attacks without a documented series of clicks that produce a vulnerability.
• Spam.
• Vulnerabilities discovered shortly after their public release.
• Attacks that require social engineering (phishing).
• Content injection, such as reflected text or HTML tags.
• Missing HTTP headers, except as where their absence fails to mitigate an existing attack.
• Authentication bypasses that require access to software/hardware tokens.
• Bugs that are in content/services not owned by ConfigCat.
• Brute forcing of intended functionality.
• Leaking version or debugging information such as stack traces, path disclosure, or directory listings.
• Speculative reports or reports without enough information to confirm an issue.
• Reports recommending best practices without demonstrable proof of an actual issue.

Quality Over Quantity

We appreciate your time and effort in finding bugs. But we want quality reports, not just a high number of reports.

If you send too many false positives, invalid reports, or low-quality submissions, we may limit your submissions or even ban you from the program. We do this to keep the program useful for everyone.

When reporting issues, please go beyond just describing the problem. Provide possible solutions or a list of potential fixes. This helps ensure that at least one option is business-viable. Issues that cannot be reasonably fixed in a way that aligns with business needs are not considered true vulnerabilities, as their "fix" could introduce bigger problems than their existence.

Before you submit a report, please:
✅ Make sure the bug is real and reproducible.
✅ Check if it is out of scope.
✅ Provide clear steps, impact, and proof.
✅ Provide realistic possible solutions.

If we see repeated false positives or other low-quality reports from you, we may:

1. Warn you about improving your reports.
2. Limit your submissions if the issue continues.
3. Ban you if the problem does not stop.

We are here to reward great work. Let's keep the program valuable for everyone! 🚀

Calculating Payouts

We reserve the right to adjust payouts at our own discretion. But in general, we follow the following payout table to determine possible payout ranges for qualifying vulnerabilities, then use the severity of the vulnerability and other factors to determine a final payout amount. Please note, previous payment amount will not be considered precedent for future payouts, as the security impact of an issue may vary significantly based on the passage of time or development timelines.