Vulnerability Reward Program

Program Overview

Security of our users and their data is paramount for Birdview. That‘s why we encourage ethical vulnerability research and reporting.

Should you find or discover any security vulnerability, please report it to Birdview, and our team will investigate and address it as soon as possible.

Birdview offers monetary rewards (bug bounty) for the submitted security vulnerabilities. The value of the reward is affected by a number of factors including but, not limited to severity, impact and the exploitability.

Program Rules

Please review and understand the rules of the Birdview Vulnerability Program before reporting a vulnerability. By participating in this program, you agree to be bound by these rules:

• Do not violate any criminal or other applicable laws.
• Create your own trial account for testing purposes and avoid trying to gain access to accounts that you don‘t own.
• Contact Birdview immediately if you do inadvertently access user data that is not yours. Do not view, alter, save, store, transfer, or otherwise access the data. Immediately and securely delete any local information upon reporting the vulnerability to Birdview.
• Report the found vulnerability upon its discovery or at your earliest convenience.
• Do not perform any activity that would be disruptive, damaging or harmful to Birdview and it‘s services.
• Please allow Birdview a reasonable amount of time to address the issue before making any information about it public. Do not disclose the details of the vulnerability publicly before such vulnerabilities have been resolved.
• Notify us in advance at [email protected] if you plan to use any automated vulnerability scanning tools
• Failure to comply with the program rules will result in immediate disqualification from the Birdview Vulnerability Reward Program and forfeiture of any pending reward payments.
• Please note that Birdview will only reward the first reporter of a vulnerability.

The rewards are granted entirely at the discretion of Birdview.

Exclusions

Please note that the following issues are not considered security vulnerabilities and are not eligible for reward payments.

• Missing any security best practices that are not vulnerabilities
• Self XSS
• Username or email address enumeration
• Email bombing
• Clickjacking in unauthenticated pages or in pages with no significant state-changing action
• Logout or unauthenticated CSRF
• Missing cookie flags on non sensitive cookies
• Missing security headers which do not lead directly to a vulnerability
• Unvalidated findings from automated tools or scans
• Issues that do not affect the latest version of modern browsers or platforms
• Attacks that require physical access to a user device
• Social engineering
• Use of a known-vulnerable library (without evidence of exploitability)
• Low impact descriptive error pages and information disclosures without any sensitive information
• Invalid or missing SPF/DKIM/DMARC/BIMI records
• Invalid or missing DNSSEC records
• TLS 1.0/1.1 and/or weak ciphers enabled on non-sensitive domains (without evidence of exploitability)
• Password and account policies, such as (but not limited to) reset link expiration or password complexity
• Missing rate limitations on endpoints (without any security concerns)
• 0-day vulnerabilities in any third parties we use within 14 days of their disclosure
• Retaining EXIF metadata on non-public file uploads
• Any other issues determined to be of low or negligible security impact

How to Report a Vulnerability

Please submit your report using this form.

The Vulnerability Report should include clear reproduction steps as well as Proof of Concept images and/or video.

Classification of Vulnerabilities and Reward Levels

The Birdview team ranks security vulnerabilities severity levels based on the Common Vulnerability Scoring System (CVSS). You can learn more about CVSS at FIRST.org