PocketRN Bug Bounty Program

Eligibility

To be eligible for a PocketRN Security Bounty, the issue must occur on the latest publicly available versions of the PocketRN web app with a standard configuration and, where relevant, on the latest publicly available hardware.

You must be the first party to report the issue to the PocketRN Security Team.  A verifiable security vulnerability already reported but not yet closed will still be rewarded $10 for the submission.

You must Provide a clear report, which includes a working exploit (detailed below).

You must not disclose the issue publicly before PocketRN releases a public security report and fix for the bug.

Bounty Categories

Bounty payments are determined by the level of access or execution achieved by the reported issue (reduced if the quality of the report is insufficient). The exact payment amounts are determined after a review by PocketRN. All security issues with significant impact on users will be considered for PocketRN Security Bounty payment. Security Bounty payments are at PocketRN's discretion.

Vulnerability Risk Level & Reward Amount

• Low: $50. We consider a low-risk vulnerability one that is either exceedingly difficult to execute, has no immediate impact on how we operate or has little impact on our customers or their data.
• Medium: $150. We consider a medium-risk vulnerability one that would be easy to exploit, will impact our services and can impact sensitive customer data or sufficiently degrade their experiences.
• High: $500. We consider a high-risk vulnerability one that would be easy to exploit, will greatly impact our services, and can greatly impact sensitive customer data of many customers or put our customers in serious danger of being attacked by us exposing an attack vector through our services.‍
• +$10 for submitting a verifiable security vulnerability (as explained above).

If we think believe your report has no reasonable vulnerability rating, we will not pay out any amount for the report.  These include, but are not limited to, bugs that are exceedingly unlikely to occur or practically impossible to execute, user-controlled URL redirection, logout cross-site request forgery, self-hosted JavaScript, flaws impacting out-of-date browsers/OSes/etc., email spoofing, or third-party vulnerabilities we do not have direct control over.

Report and Payout Guidelines

The goal of the PocketRN Security Bounty is to protect customers by understanding both vulnerabilities and their exploitation techniques and technologies. Reports lacking the necessary information to enable PocketRN to efficiently reproduce the issue will result in a significantly reduced bounty payment if accepted at all.

A complete report includes:

• A detailed description of the issues being reported.
• Any prerequisites and steps to get the system to an impacted state.
• A reasonably reliable exploit for the issue being reported.

I.e. we need sufficient information for PocketRN to be able to reasonably reproduce the issue in a timely manner.

Sending Your Report

Send your report by email to security@pocketrn.com. Whenever possible, encrypt all communications. Include all relevant videos, crash logs, and system diagnosis reports in your email. If necessary, contact us and ask about a drop location for large file uploads.

Payout

You will either be paid out in an Amazon Gift Card (up to $200) or via a Bill.com invoice. Before receiving the reward, you will be required to fill out a W9 form for accounting and tax purposes (or a W-8BEN if you are a foreign individual). You can access a W9 form here. or a W-8BEN here.

• You cannot be rewarded more than $599 in a given calendar year.
• We do not pay out if the bug is publicly disclosed before we fix it.
• We will provide the payout at the time of the fix (or within 10 business days: whichever comes first).

Terms and Conditions

1. You must not disrupt PocketRN web services, databases, or any other PocketRN technologies.  If such disruption is necessary to discover the exploit, contact security@pocketrn.com about the steps you will be taking and we will work with you to provide a safe environment and time for your attack.
2. Immediately both stop your research and notify PocketRN using the email security@pocketrn.com before any of the following occur:
   1. You access any accounts or data other than your own (or those for which you have explicit, written permission from their owners).
   2. You disrupt any PocketRN web services, databases, or any other PocketRN technologies.
3. You must comply with all applicable laws, including local laws of the country or region in which you reside or in which you use PocketRN services.
4. PocketRN Security Bounty payments are granted solely at the exclusive discretion of PocketRN.
5. PocketRN Security Bounty payments may not be issued to you if you are in any U.S. embargoed countries or on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List or any other restricted party lists.
6. You are responsible for the payment of all applicable taxes.
7. If the bug is publicly disclosed or disclosed to a third party, PocketRN will void the payout.
8. If you repeatedly submit the same vulnerability, you will be permanently ineligible.
9. Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, or do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.
10. We do not accept vulnerabilities regarding third-party tools, libraries, or software that we use unless it is regarding specifically how we are utilizing the system and not a more generalized vulnerability of said software.  If it is a vulnerability in code dependencies and our automated vulnerability code scanning detects the vulnerability, whether or not we've yet resolved it, we will not accept the report.

We're extremely grateful for your contributions in helping PocketRN be safe, secure, and protected.  On behalf of our security team, thank you for your dedication to the hacking craft and community!