Report Security Issues to SignalStack

If you have come across a security issue in the SignalStack platform, report it to us with this form. For vulnerabilities that we are able to confirm, we will pay a bounty according to their severity.

  1. We reward security researchers for reporting vulnerabilities. The size of the reward depends on the severity of the issue you identify. Please follow these guidelines when hunting for and reporting vulnerabilities:
    1. Avoid any non-technical attacks, such as social engineering, against our users or team members.
    2. Do not involve other users in your proof-of-concept testing without their explicit permission.
    3. Provide a thorough description of the vulnerability, including clear steps to reproduce it. Only reproducible reports are eligible for rewards.
    4. Avoid actions that degrade service, cause privacy breaches, or lead to data loss, unless such effects are inherent to demonstrating the vulnerability.
    5. If we receive multiple reports of the same underlying issue, the first reproducible report will receive the reward.
  2. High-severity vulnerabilities are those that can affect the entire platform or a majority of users simultaneously. Examples include:
    1. Full compromise of an arbitrarily selected user account
    2. Unauthorized administrator access
    3. High-impact code or query injections
    4. Remote code execution
    5. Server-Side Request Forgery (SSRF)
    6. Unrestricted access to files or databases, resulting in sensitive data leaking
  3. Medium-severity vulnerabilities are the ones that may impact multiple users without requiring their interaction. For example:
    1. Insecure Direct Object References (IDOR).
    2. Persistent (Stored) Cross-Site Scripting (XSS).
  4. Low-severity vulnerabilities typically affect single users and require user interaction to reproduce. Examples include:
    1. Reflected Cross-Site Scripting (XSS)
    2. Cross-Site Request Forgery (CSRF), except when it triggers logout
  5. Scope of this program does not include the followng:
    1. All forms of social engineering
    2. Issues requiring highly unusual user behavior
    3. Vulnerabilities that demand full access to a user’s email, phone, or other private accounts
    4. Weaknesses with no meaningful impact or feasible exploitation
    5. Mass credential leaks from end user devices, not targeted or limited to our platform
Personal Info
Security Issue Details
Enter between 50 and 4,000 characters
Enter between 50 and 4,000 characters
This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.

Terms

This document is an agreement between SignalStack, LLC, including all subsidiaries and affiliates (the “Company”), and the white hat hacker (the “Participant”) who is reporting security issues related to the web-based platform owned and operated by the Company.

By participating in the bug bounty program, the Participant agrees to be bound by the following terms and conditions:

  • Participant agrees to identify security issues and report them to the Company.
  • Participant agrees to provide the Company with sufficient information about the security issue so that the Company can verify and confirm the issue.
  • Participant agrees that the Company shall be the sole arbiter of whether or not the security issue is real, material, and should be paid out, and how much should be paid out.
  • Participant agrees that the Company reserves the right to reject any security issue in its sole discretion.
  • Participant agrees that if the Company verifies and confirms the security issue, the Company shall pay out a bounty between $100 and $4,000 per issue, depending on the severity of the issue, as determined by the Company in its sole discretion.
  • Participant agrees that payment will be made by the Company within 30 days of verification and confirmation of the security issue.
  • Participant agrees to keep confidential any information related to the security issue and the bug bounty program, and agrees not to disclose this information to any third party without the Company’s prior written consent.
  • Participant agrees to indemnify, defend, and hold harmless the Company, its subsidiaries, affiliates, officers, agents, employees, and customers from any third-party claims, liability, damages, or costs arising from or related to Participant’s participation in the bug bounty program.
  • Participant agrees to waive any right to bring a claim against the Company for any damages or losses arising out of or related to the security issue or the bug bounty program.
  • Participant agrees that this Agreement shall be governed by and construed in accordance with the laws of the Northern District of Illinois, USA, and the parties hereby consent to the exclusive jurisdiction and venue of the courts located therein.
  • Participant agrees that if any provision of this Agreement is held to be invalid or unenforceable, such provision shall be struck and the remaining provisions shall be enforced.
  • Participant agrees that this Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof, and supersedes and replaces all prior or contemporaneous understandings or agreements, written or oral, regarding such subject matter.
  • Participant agrees that the Company may amend this Agreement at any time and Participant’s continued participation in the bug bounty program constitutes acceptance of such amendments.
  • Participant understands that SignalStack is a United States entity and is required by law to comply with United States regulations set by the Office of Foreign Asset Control (OFAC). This means that SignalStack will only be able to pay for bug bounties if (a) Participant is not listed on OFAC personally, (b) Participant’s banking institution is not listed by OFAC, (c) Participant is not located in a region of the world that is comprehensively sanctioned by OFAC (such as, but not limited to, Iran and North Korea). Participant understands that prior to being paid by SignalStack, they must provide accurate and complete information about their identity and location to facilitate checks. SignalStack reserves the right to withhold payment until verification is complete. SignalStack also reserves the right to request additional documentation about identity prior to releasing any bug bounty payments.
  • Participant agrees that any cause of action arising out of or related to this Agreement must be commenced within one (1) year after the claim or cause of action arises.
  • Participant agrees that the Company may use Participant’s name, likeness, and company name (if applicable) in publicizing the bug bounty program and Participant’s successful participation in it, including but not limited to press releases, social media, and the Company’s website.

By participating in the bug bounty program, Participant agrees to be legally bound by the terms and conditions of this Agreement.