Disclosure Policy

• Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report received (provided it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g., phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

• Ask the program team before submitting vulnerabilities on unscoped subdomains

• Only interact with accounts you own or with the explicit permission of the account holder.

Test Plan

• Access the primary test environment using the provided test credentials. New researchers on the platform may not be able to claim credentials as per Hackerone guidelines and we will not be able to provide the same via email.

• Test environment: https://uat-bugbounty.nonprod.syfe.com/

• Note: Findings on the test environment need to be reproducible on the production environment for the finding to be eligible.

Non-Qualifying Bugs/Known Issues

Typically, the following types of bugs and activities are not eligible for a bounty:

• Security vulnerabilities on sites hosted by third parties (e.g. help.syfe.com) unless they lead to a vulnerability on a Syfe main app
• Denial of service (DoS) on Syfe infrastructure
• Spamming
• Social Engineering
• Missing best practices in SSL/TLS configuration
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Bugs affecting outdated or unpatched browsers
• Rate-limit issues (unless reproducible on production)
• Information disclosure on UAT environment
• Previously known vulnerable libraries without a working Proof of Concept
• Open redirect - unless an additional security impact can be demonstrated
• DOM XSS via redirect-url (widespread issue for which fix is already in progress)
• Promo code URLs on web archive, Promo code enumeration
• Root detection/Jailbreak detection/SSL Pinning bypass
• Credential leakage reports are considered informational if two-factor authentication (2FA) is in place
• Rate limiting or brute force issues unless they can be abused for account takeover or financial damages
• Self XSS/File Upload XSS
• Edit own account details for non-KYC verified accounts
• Response manipulation that only affects the UI and no actual access to any accounts/features
• CORS related issues unless you can exfiltrate data
• Debug View/login into any account on UAT
• Exposed API keys without a proof of concept
• Pasting authorization token from another account to access their details

Disqualifiers

• Any modification or destruction of user data
• Overwhelming our support team with messages
• Taking any steps that intentionally violate the privacy of our users
• Denial of service, either against company infrastructure or user accounts
• Social engineering of any kind against our users or employees
• Any type of brute-forcing or automated attack techniques on production

Session Layer: HTTP Headers

For production environments, researchers should add headers to requests such as:

• "X-HackerOne-Research: [H1 username]"

If you signup on production, use only @wearehackerone.com email address to be eligible for bounty and avoid any blocks.

Rewards

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are at the discretion of Syfe.

Thank you for helping keep Syfe and our users safe!