- For you to participate in the program, we require that:
- You do not interact with an individual account (which includes modifying or accessing data from the account) without the account owner's explicit written consent, which you must produce upon request.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services. You must not intentionally violate any applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
- If you inadvertently access another person's data or PlasBit company data without authorization while investigating an issue, you must promptly cease any activity that might result in further access of user or PlasBit company data and notify PlasBit what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system. Continuing to access another person's data or company data may demonstrate a lack of good faith and disqualify you from any benefit or monetary reward. You must also acknowledge the inadvertent access in any related bug bounty report you may subsequently submit. You may not share the inadvertently accessed information with anyone else.
- You do not exploit a security issue you discover for any reason other than for testing purposes, and you do not conduct testing outside of your own account, or another account for which you have the explicit written consent of the account owner to test. (This includes demonstrating additional risk, such as the risk that the security issue could be used to compromise sensitive company data or another user's account.)
- You give us reasonable time to investigate and mitigate an issue you report before publicly disclosing any information about the report or sharing such information with others.
- Not be employed by or a contractor/vendor of PlasBit or its subsidiaries or affiliates, or be an immediate family member of a person employed by PlasBit or its subsidiaries or affiliates (defined for these purposes as including spouse, domestic partner, parent, legal guardian, legal ward, child, and sibling, and each of their respective spouses, and individuals living in the same household as such individuals).
- Not be less than 14 years of age - if you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating.
PlasBit Bug Bounty Program
If you submit research for a security or privacy vulnerability, your report may be eligible for a reward. PlasBit bug Bounty program is designed to recognize your work in helping us protect the security and privacy of our users.
Submit your Research
If you believe you’ve discovered a security or privacy vulnerability that affects PlasBit website, please report it directly to us. We review all eligible research for PlasBit Bug Bounty rewards. With our online form, submitting and tracking your reports is easier than ever.
Researcher Hall of Fame
Thanks to the following researchers for reporting important security issues
Responsible Research and Disclosure Policy
Bug Bounty Program Processes
- We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our products and services. Monetary bounties for such reports are entirely at PlasBit's discretion, based on risk, impact, number of vulnerable users, and other factors. To be considered for a bounty, you must meet the following requirements:
- Report a security bug: identify a vulnerability in our services or infrastructure that creates a security or privacy risk. (Note that PlasBit determines the risk of an issue and that many software bugs are not security issues.) Report the vulnerability upon discovery or as soon as feasible.
- Submit your report via our “Report a Security Vulnerability” form (one issue per report) and respond to any follow-up requests from our staff for updates or further information. Please do not contact our staff directly or through other channels about a report.
- Before engaging in any action which may be inconsistent with or unaddressed by these terms of service, contact us for clarification by submitting a new submission with your question.
- In turn, we will follow these guidelines when evaluating reports under our bug bounty program:
- We investigate and respond to all valid reports. We prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.
- We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. Note that extremely low-risk issues may not qualify for a bounty at all. Even if the issue you identify is low-risk in isolation, if your report leads us to discover higher-risk vulnerabilities, we may pay an increased award at our sole discretion.
- We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.
- In the event of duplicate reports, we award a bounty to the first person to submit an issue. (PlasBit determines duplicates in its sole discretion and is not obligated to share details on prior similar reports.) A given bounty is typically only paid to one individual. However, if a subsequent report on a previously evaluated issue reveals that a vulnerability still remains or is more serious than initially judged, we may pay a reward for the subsequent report and evaluate whether an additional reward is warranted for the initial entry.
- You may donate a bounty to a recognized charity (subject to approval by Plasbit). In fact, we double bounty amounts that are donated in this way.
- We reserve the right to publish reports (and accompanying updates).
- We publish a list of researchers who have submitted valid security reports. You must receive a bounty to be eligible for this list, but your participation on the list is then optional. We reserve the right to limit or modify the information accompanying your name in the list.
- PlasBit may share report information, such as severity levels, payout amounts, and if you provide consent, researcher details for purpose of processing bounty payouts.
- We may retain any communications about security issues you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.
Third Party Applications or Websites
- Vulnerabilities in third-party apps or websites that integrate with PlasBit are within scope only where the vulnerability is found in one of the following two ways:
- through passively viewing data sent to or from your device while using the app or website. You are not permitted to manipulate any request sent to the app or website from your device or to otherwise interfere with the ordinary functioning of the app or website in connection with the research supporting your report. (For example, SQLi, XSS, open redirect, or permission-bypass vulnerabilities (such as IDOR) are strictly out of scope.)
- other activity authorized by the third party responsible for the app or website, for example under the terms of the third party's own vulnerability disclosure or bug bounty program. PlasBit's Bug Bounty Terms do not provide any authorization allowing you to test an app or website controlled by a third-party. Please only share details of a vulnerability if permitted to do so under the third party's applicable policy or program. Your report should include a link to the third party's vulnerability disclosure or bug bounty program, or to any authorization received from the third party for the activity underlying your report.
- The vulnerability must have some potential impact on PlasBit user data or systems (e.g. access token disclosure).
- Whether we will pay any award in response to a report of a vulnerability affecting a third-party app or website (and if so, how much) is completely within our discretion. Factors that will influence our award decision include, but are not limited to, our ability to verify the vulnerability and ensure that it is remediated, and the extent of the potential impact the vulnerability could have on PlasBit user data or systems if left unfixed. Receiving an award through the relevant third party's bug bounty program does not disqualify you from receiving an award through the PlasBit Bug Bounty program if submitted in compliance with these terms.
- These guidelines are to help understand the payout decisions for each focus area and the methodology we apply when awarding bounty payouts. Each guideline provides a maximum payout for a particular bug category and describes what mitigating factors would prompt a deduction from that amount. In general, the more mitigating factors that exist, the lower the bounty will be.
- The triage team will apply these guidelines when assessing reports submitted to our program, however as these are only guidelines, it is within the team’s sole discretion to assess the mitigating factors and deduction amounts on a case-by-case basis.
Terms and Conditions
- You must not disrupt, compromise, or otherwise damage data or property owned by other parties. This includes attacking any devices or accounts other than your own (or those for which you have explicit, written permission from their owners), and using phishing or social engineering techniques.
- You must not disrupt PlasBit services.
- Immediately both stop your research and notify PlasBit using the reporting form before any of the following occur:
- You access any accounts or data other than your own (or those for which you have explicit, written permission from their owners).
- You disrupt any PlasbBit service.
- You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you use PlasBit Products or services.
- PlasBit Security Bounty payments are granted solely at the exclusive discretion of PlasBit.
- You are responsible for the payment of all applicable taxes.
- A participant in the PlasBit Bug Bounty program will not be deemed to be in breach of applicable PlasBit license provisions which provide that a user of PlasBit Products or Services may not copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of such PlasBit Products, for in scope actions performed by that Participant where all of the following are met:
- The actions were performed during good-faith security research, which was — or was intended to be — responsibly reported to PlasBit;
- The actions were performed strictly during participation in the PlasBit Bug Bounty program; and
- Neither the actions nor the Participants have otherwise violated these policies such as violating legal requirements 1, 2, and 3, above.