Bug Bounty Program

Before submitting, please review the guidelines, scope, and other information below to understand what you should and shouldn’t do and what is eligible or not eligible for a bounty.

Guidelines

• Vulnerability reports MUST have a proof of concept or detailed step-by-step explanation of the security issue so we can reproduce it.
• Please check the Scope section for a list of which systems and classes of vulnerabilities are accepted.
• IronCore awards larger bounties for higher quality reports that include reproduction steps  and the impact on users.
• We encourage researchers to include screenshots or video in their bug submissions that demonstrate the bug in action. These screenshots or video cannot be uploaded to public locations such as public Youtube videos. We can provide ways to share large files securely if needed. Just email us.
• Include your recommendations to resolve reported issues, if any.
• We do not respond to extortion or abusive or threatening language.
• Research in good faith.
• Don’t leave any system that you are accessing in a worse state than when you found it.
• We need to be able to contact researchers for additional information. If seven days elapses with no response after we contact you, we may close a submission, making you ineligible for reward.
• Never publicly disclose customer information. This is a hunt for bugs, not for customer data. If you find a way to access customer information while you are researching, please stop and report it to our bug bounty team. Continuing is not authorized, and you are not authorized to copy, store, transfer, or disclose customer information in any way.
• Only publicly disclose a vulnerability with our specific consent. (See Disclosure below for more details.)
• Please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.
• Please don’t create an excessive number of accounts for testing.
• Avoid using site-wide scanners. Researchers who wish to should be using targeted scanning tools in order to prevent affecting the production environment. If you notice any performance degradation with your use of targeted scanning tools, you must stop using them.
• Be mindful with the rate and scope of automated scanning tools.
• Account Freezes: there are situations where during testing your account may be frozen due to fraud protection measures.
• Because of US Government restrictions, researchers working from Iran, North Korea, Syria, Sudan, or Cuba are not eligible to participate in the IronCore Labs Bug Bounty Program.
• You must be at least 18 years of age to participate in the IronCore Labs Bug Bounty program.

Public Disclosure

We will move as quickly as we can to remedy any critical issues, test the remedies, and get fixes out to customers. We ask that you wait until we’ve pushed out these fixes before you publicly disclose any issues. In some cases, we may need some extra time so that customers can update their SDK versions.

Any public vulnerability disclosure that does not have our written consent will result in you being ineligible for the IronCore Labs Bug Bounty Program.

Priority Reward

P1 $1,000 – $2,000

P2 $600 – $1,000

P3 $200 – $600

P4 $100 – $200

P5 unrewarded

Swag

IronCore Labs will be rewarding researchers with T-shirts for submission of a valid P3-P1 vulnerability. You will be contacted after the submission has been verified and reviewed. IronCore Labs will make a best effort (but no guarantee) to get qualifying researchers their swag. Sadly, it is very difficult to ship packages to some places in the world.

Focus Areas

This program is focused on vulnerabilities in IronCore Labs’ developer APIs and SDK.

• Developer API vulnerabilities.
• Unauthenticated access to users’ accounts / information, especially PII (Personally Identifiable Information).
• Encryption issues not including side-channel issues in the SDK. Documentation can be found at: https://docs.ironcorelabs.com

Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.

Out-of-Scope and Vulnerability Exclusions

IronCore’s Main Website: Please note that any vulnerabilities found on IronCore’s main webpage, ironcorelabs.com, or on domains that are not listed in the Targets section are considered out of scope and are not eligible for IronCore’s bug bounty program. 

• DoS/DDoS
• Service disruptions
• Physical attacks, social engineering attacks, and phishing attacks of any kind.
• 3rd party systems and solutions (any resource / service not managed by IronCore Labs).
• Spam or any other mass distribution to customers, partners, etc.
• Customer support channels (chat, phone, email, etc.)
• Security reports that don’t pertain to IronCore Labs. If you’re sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
• Flaws specific to out of date browsers/plugins.
• Browser functions controlled by the client, such as if a vulnerability is found in a specific implementation of the Web Crypto API.
• Malicious code running on a host site
• Malicious code running in a browser plugin
• Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.
• Cross-site request forgery.
• Clickjacking, as well as any issues only exploitable through clickjacking.
• Lack of the Secure flag on non-sensitive cookies.
• Cross-site Request Forgery issues submitted with a proof-of-concept containing a nonce.
• Vulnerabilities identified with automated tools (including web scanners) that do not include proof of concept code or a demonstrated exploit.
• Descriptive error messages.
• HTTP 404 or other HTTP error codes/ pages.
• Disclosure of known public files or directories, e.g. robots.txt.
• Spelling errors, UI and UX bugs.
• Reports of missing SPF records for domains with no MX record