At IronCore Labs, the security of data is at the very core of our mission, and we want to know about any vulnerability that could be a threat to that security.
Our Bug Bounty Program is designed to reward people like you who follow responsible disclosure principles by reaching out to us when you’ve identified a vulnerability which would impact the security of our platform or our customers.
To participate you need to follow the simple guidelines below. We may, at our discretion, have to delete and block test accounts that are found to be abusing our testing guidelines.
Anyone who doesn’t work for IronCore Labs or our partners is eligible for a bounty, but anyone can submit an issue to us as part of responsible disclosure practices.
To disclose an issue for our bug bounty program, please fill out the form. We will respond by email to your form submission. If you have more information to disclose or files to attach, you can respond to the email you receive with the additional items.
Before submitting, please review the guidelines, scope, and other information below to understand what you should and shouldn’t do and what is eligible or not eligible for a bounty.
We will move as quickly as we can to remedy any critical issues, test the remedies, and get fixes out to customers. We ask that you wait until we’ve pushed out these fixes before you publicly disclose any issues. In some cases, we may need some extra time so that customers can update their SDK versions.
Any public vulnerability disclosure that does not have our written consent will result in you being ineligible for the IronCore Labs Bug Bounty Program.
This program uses the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.
Submitting a bug can qualify for a reward if you were the first researcher to alert us to a previously unknown issue, and the issue triggers a code or configuration change.
IronCore Labs pays rewards using PayPal.
Priority Reward
P1 $1,000 – $2,000
P2 $600 – $1,000
P3 $200 – $600
P4 $100 – $200
P5 unrewarded
IronCore Labs will be rewarding researchers with T-shirts for submission of a valid P3-P1 vulnerability. You will be contacted after the submission has been verified and reviewed. IronCore Labs will make a best effort (but no guarantee) to get qualifying researchers their swag. Sadly, it is very difficult to ship packages to some places in the world.
The following targets are considered in scope:
* Note that github.com is NOT in scope.
** Note that npmjs.com is NOT in scope.
Important: Please note that any vulnerabilities found on IronCore’s main webpage, ironcorelabs.com, or not list in the list above, are considered out of scope for this bug bounty program.
This program is focused on vulnerabilities in IronCore Labs’ developer APIs and SDK.
Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.
IronCore’s Main Website: Please note that any vulnerabilities found on IronCore’s main webpage, ironcorelabs.com, or on domains that are not listed in the Targets section are considered out of scope and are not eligible for IronCore’s bug bounty program.
IronCore Labs reserves the right to modify terms and conditions of the IronCore Labs Bug Bounty Program, or to cancel this program at any time. Your participation in the program constitutes acceptance of all terms. Any changes to this page are effective as of the time of posting.
Updates to this page
• October 8, 2018 added Exclusion: “Reports of missing SPF records for domains with no MX record”