Bug Bounty Program
Last Updated: February 8, 2026
At BidBolt, we take security seriously. We believe that working with skilled security researchers is essential to keeping our platform and our users safe. Our Bug Bounty Program rewards individuals who responsibly disclose qualifying security vulnerabilities in the BidBolt platform.
If you believe you have found a security vulnerability, we encourage you to report it to us. We will investigate every legitimate report and do our best to resolve issues quickly. We appreciate your effort to make BidBolt safer for everyone.
Scope
The following assets are in scope for this program:
- bidbolt.app — Primary web application
- api.bidbolt.app — Backend API endpoints
- BidBolt mobile apps — iOS and Android applications
- Authentication & authorization — Login, session management, role-based access control
- Payment processing flows — Checkout, card-on-file, refunds (excluding third-party provider infrastructure such as Square)
- Real-time bidding engine — Bid placement, proxy bidding, auction timing
- Livestream features — Chat, stream access controls
The following are out of scope and should not be tested:
- Third-party services and infrastructure (Square, Firebase, Google Cloud, Brevo, LiveKit)
- Social engineering, phishing, or physical attacks against BidBolt employees or users
- Denial-of-service (DoS/DDoS) attacks
- Automated scanning or brute-force attacks that degrade service
- Vulnerabilities in software or systems not owned by BidBolt
- Issues found through testing against accounts you do not own or control (unless explicitly authorized)
- Clickjacking on pages with no sensitive actions
- Self-XSS (cross-site scripting that only affects the reporter)
- CSRF on unauthenticated forms or forms with no sensitive actions
- Missing HTTP security headers that do not lead to a direct exploit
- SSL/TLS configuration issues (unless a concrete attack is demonstrated)
- Content spoofing or text injection without an attack vector
Reward Tiers
Rewards are based on the severity and impact of the vulnerability. We use the CVSS v3.1 scoring framework as a baseline, combined with our assessment of business impact and exploitability.
| Severity | CVSS Score | Reward Range | Examples |
|---|---|---|---|
| Critical | 9.0 – 10.0 | $500 – $2,000 | Remote code execution; authentication bypass granting admin access; mass data exfiltration of user PII or payment tokens; bid manipulation affecting auction outcomes |
| High | 7.0 – 8.9 | $200 – $500 | Privilege escalation (customer to admin); stored XSS in auction listings or chat; IDOR exposing other users' orders or payment info; bypassing payment for won auctions |
| Medium | 4.0 – 6.9 | $50 – $200 | CSRF on sensitive state-changing actions; reflected XSS; information disclosure of internal configuration; bypassing feature flags or rate limits |
| Low | 0.1 – 3.9 | $25 – $50 | Minor information leaks (verbose errors, stack traces); open redirect; missing security headers with limited impact; user enumeration via login/registration |
Exceptional reports that demonstrate novel attack chains, provide high-quality proof-of-concept code, or identify systemic architectural flaws may receive bonuses up to 2× the standard reward. Rewards are paid via PayPal, bank transfer, or BidBolt store credit (at 1.25× the cash value) at the researcher's choice.
Rules of Engagement
To qualify for a reward and safe harbor protections, you must follow these rules:
- Act in good faith. Do not access, modify, or delete data belonging to other users. Create your own test accounts.
- Do not disrupt services. Avoid any actions that could degrade the availability or performance of BidBolt for other users, including automated scanning at high volume.
- Report promptly. Submit your findings as soon as you have a reasonable understanding of the vulnerability. Do not continue exploiting a confirmed issue.
- Keep it confidential. Do not share or publicly disclose the vulnerability until we have confirmed that it has been remediated (or 90 days have passed since your initial report, whichever comes first).
- One report per issue. If multiple reporters discover the same vulnerability independently, only the first valid report will receive a reward.
- No social engineering. Do not target BidBolt employees, contractors, or other users through phishing, pretexting, or similar techniques.
- Legal compliance. Your testing must comply with all applicable laws. Research conducted under this program and in accordance with these rules will not result in legal action by BidBolt against you.
How to Report a Vulnerability
Send your report to [email protected] with the following information:
- Description: A clear and detailed explanation of the vulnerability, including the affected asset and impacted functionality.
- Steps to reproduce: Precise, step-by-step instructions or a proof-of-concept (PoC) that allows us to reliably reproduce the issue. Include screenshots, videos, or HTTP request/response logs as supporting evidence.
- Impact assessment: Your assessment of the potential impact, including what an attacker could achieve and who would be affected.
- Suggested severity: Your proposed CVSS score or severity rating (optional but helpful).
- Remediation suggestions: If you have recommendations for how to fix the issue, we welcome them (optional).
- Contact information: Your name (or alias), email address, and preferred payment method for reward delivery.
Please encrypt sensitive reports using our PGP key, available upon request at the same email address.
Response Timeline
We are committed to handling reports promptly and transparently:
- Acknowledgment: Within 2 business days of receiving your report.
- Triage & initial assessment: Within 5 business days. We will confirm whether the issue qualifies and provide an initial severity assessment.
- Remediation: We aim to resolve critical issues within 14 days, high-severity within 30 days, and medium/low within 60 days. Complex issues may take longer — we will keep you informed of progress.
- Reward payment: Within 15 business days of confirming the vulnerability and agreeing on severity.
Eligibility
To be eligible for a reward, you must:
- Be the first person to report the vulnerability to BidBolt.
- Provide a sufficiently detailed report to allow us to reproduce and verify the issue.
- Not be a current employee, contractor, or immediate family member of a BidBolt employee.
- Not reside in a country subject to U.S. trade sanctions (OFAC SDN list).
- Not have discovered the vulnerability through access to BidBolt source code, internal systems, or confidential information (unless through a separate authorized engagement).
- Comply with all Rules of Engagement listed above.
Non-Qualifying Submissions
The following types of reports generally do not qualify for a reward:
- Vulnerabilities that require physical access to a user's device.
- Issues on out-of-scope assets or third-party services.
- Theoretical attacks without a working proof of concept.
- Reports generated primarily by automated scanning tools without manual verification and context.
- Best-practice recommendations without a demonstrated security impact (e.g., suggesting HSTS without showing a concrete downgrade attack).
- Issues already known to BidBolt or previously reported by another researcher.
- Bugs that require unlikely user interaction (e.g., pasting attacker-controlled code into the browser console).
- Rate limiting or account lockout issues unless they enable a concrete attack.
Safe Harbor
BidBolt supports responsible security research. If your security research is conducted in accordance with this policy, we consider it to be:
- Authorized under the Computer Fraud and Abuse Act (CFAA) and analogous state laws.
- Exempt from the Digital Millennium Copyright Act (DMCA) anti-circumvention provisions to the extent your research involves circumvention of technological measures.
- Exempt from any restrictions in our Terms & Conditions that would otherwise prevent security research, provided you follow this policy.
We will not initiate or support legal action against you for security research conducted in good faith under this program. If a third party initiates legal action against you for research that complied with this policy, we will make it known that your research was authorized.
Hall of Fame
With your permission, we will publicly recognize researchers who submit valid reports in our Security Hall of Fame. If you prefer to remain anonymous, we will respect that choice. Recognition is independent of whether a monetary reward is issued.
Program Changes
BidBolt reserves the right to modify or discontinue this Bug Bounty Program at any time. Changes will be reflected on this page. Reports submitted before a change will be honored under the terms in effect at the time of submission.
Contact
For questions about this program, reach us at [email protected]. For general inquiries and non-security bugs, please use our Contact page or AI Support instead.