Vulnerability Reward Program

Program Overview

The security of our users and their data is paramount to Birdview. That‘s why we encourage ethical vulnerability research and responsible reporting.

If you find or discover a security vulnerability, please report it to Birdview. Our team will investigate and address it as soon as possible.

Birdview offers monetary rewards, also known as bug bounties, for submitted security vulnerabilities. The value of the reward is affected by a number of factors, including, but not limited to, severity, impact, and exploitability.

Program Rules

Please review and understand the rules of the Birdview Vulnerability Reward Program before reporting a vulnerability. By participating in this program, you agree to be bound by these rules:

• Do not violate any criminal or other applicable laws.
• Create your own trial account for testing purposes, and avoid trying to gain access to accounts that you do not own.
• Contact Birdview immediately if you inadvertently access user data that is not yours. Do not view, alter, save, store, transfer, or otherwise access the data. Immediately and securely delete any local information upon reporting the vulnerability to Birdview.
• Report the vulnerability upon discovery or at your earliest convenience.
• Do not perform any activity that would be disruptive, damaging, or harmful to Birdview or its services.
• Please allow Birdview a reasonable amount of time to address the issue before making any information about it public. Do not publicly disclose the details of a vulnerability before it has been resolved.
• Notify us in advance at [email protected] if you plan to use any automated vulnerability scanning tools.
• Failure to comply with the program rules will result in immediate disqualification from the Birdview Vulnerability Reward Program and forfeiture of any pending reward payments.
• Please note that Birdview will only reward the first reporter of a vulnerability.

Rewards are granted at Birdview‘s sole discretion.

Exclusions

Please note that the following issues are not considered security vulnerabilities and are not eligible for reward payments:

• Missing security best practices that are not vulnerabilities
• Self-XSS
• Username or email address enumeration
• Email bombing
• Clickjacking on unauthenticated pages or on pages with no significant state-changing actions
• Logout or unauthenticated CSRF
• Missing cookie flags on non-sensitive cookies
• Missing security headers that do not directly lead to a vulnerability
• Unvalidated findings from automated tools or scans
• Issues that do not affect the latest versions of modern browsers or platforms
• Attacks that require physical access to a user‘s device
• Social engineering
• Use of a known-vulnerable library without evidence of exploitability
• Low-impact descriptive error pages and information disclosures without any sensitive information
• Invalid or missing SPF, DKIM, DMARC, or BIMI records
• Invalid or missing DNSSEC records
• TLS 1.0/1.1 and/or weak ciphers enabled on non-sensitive domains without evidence of exploitability
• Password and account policies, such as, but not limited to, reset link expiration or password complexity
• Missing or insufficient email verification, confirmation, or password re-authentication, unless it leads to direct unauthorized access to another user‘s account or data
• Missing rate limitations on endpoints without any related security concern
• Zero-day vulnerabilities in any third-party services we use within 14 days of public disclosure
• Retaining EXIF metadata on non-public file uploads
• Any other issues determined to be of low or negligible security impact

How to Report a Vulnerability

Please submit your report using this form.

The vulnerability report should include clear reproduction steps, as well as proof-of-concept images and/or video.

Classification of Vulnerabilities and Reward Levels

The Birdview team ranks security vulnerability severity levels based on the Common Vulnerability Scoring System (CVSS). You can learn more about CVSS at FIRST.org.