Nolt Bug Bounty Program
Nolt takes the security and privacy of customer data seriously. As part of efforts to secure and protect customer data, we encourage security researchers to test our software and receive rewards for uncovering vulnerabilities.
How the program works:
- Report vulnerabilities to email@example.com as you as you discover them, but keep it confidential between yourself and Nolt until the issue is resolved.
- Please avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- You must be the first person to report the issue to us.
Please ensure your bug report is clear, easy to understand, and contains screenshots or videos if possible. Please also keep your bug report confidential before sharing it with us.
Payouts will be rewarded based on severity and the quality of the bug report.
Low risk examples:
- Mixed content
- Provisioning errors or server misconfigurations
- Other similar low-severity issues
Moderate risk examples:
- Broken authentication affecting one account
- Privilege escalation affecting one account
- Server-side request forgery (SSRF)
- Cross-site request forgery (CSRF) on user data
- And other moderate-severity issues
High risk examples:
- Stored XSS vulnerabilities
- Leaks of customer data or information
- SQL injection and/or remote code execution
- Privilege escalation affecting all accounts
- Broken authentication affecting all accounts
- Server-side request forgery (SSRF) with immediate and direct security risks
- And other critical-severity issues
The following issues are likely to be out of scope for our bug bounty program:
- Issues found through automated testing
- "Scanner output" or scanner-generated reports
- Legacy browser exploits
- Publicly-released bugs in internet software within 3 days of their disclosure
- Issues with publicly-available malicious browser extensions or similar third-party plugins and software which capture user data
- "Advisory" or "Informational" reports that do not include any Nolt-specific testing or context
- Spam or social engineering techniques, including:
- SPF and DKIM issues
- Content injection
- Hyperlink injection in emails
- IDN homograph attacks
- RTL Ambiguity
- Content spoofing
- Attacks requiring physical or remote access to a user's device
- Brute force attacks
- Denial of service attacks
- Reports related to the following security-related headers:
- Strict transport security (HSTS)
- XSS mitigation headers
- Content security policy (CSP) settings (excluding nosniff in an exploitable scenario)
- Security bugs in third-party applications or services built on the Nolt APIs
- SSL/TLS issues
- Issues relating to password policy
- Version number information disclosure
- Full-path disclosure
Learn how we secure our infrastructure and protect your data.