Bug Bounty Program

At IronCore Labs, the security of data is at the very core of our mission, and we want to know about any vulnerability that could be a threat to that security.



Before submitting, please review the guidelines, scope, and other information below to understand what you should and shouldn’t do and what is eligible or not eligible for a bounty.

Guidelines

  • Vulnerability reports MUST have a proof of concept or detailed step-by-step explanation of the security issue so we can reproduce it.
  • Please check the Scope section for a list of which systems and classes of vulnerabilities are accepted.
  • IronCore awards larger bounties for higher quality reports that include reproduction steps  and the impact on users.
  • Vulnerability reports MUST have a proof of concept or detailed step-by-step explanation of the security issue so we can reproduce it.
  • Please check the Scope section for a list of which systems and classes of vulnerabilities are accepted.
  • IronCore awards larger bounties for higher quality reports that include reproduction steps  and the impact on users.
  • We encourage researchers to include screenshots or video in their bug submissions that demonstrate the bug in action. These screenshots or video cannot be uploaded to public locations such as public Youtube videos. We can provide ways to share large files securely if needed. Just email us.
  • Include your recommendations to resolve reported issues, if any.
  • We do not respond to extortion or abusive or threatening language.
  • Research in good faith.
  • Don’t leave any system that you are accessing in a worse state than when you found it.
  • We need to be able to contact researchers for additional information. If seven days elapses with no response after we contact you, we may close a submission, making you ineligible for reward.
  • Never publicly disclose customer information. This is a hunt for bugs, not for customer data. If you find a way to access customer information while you are researching, please stop and report it to our bug bounty team. Continuing is not authorized, and you are not authorized to copy, store, transfer, or disclose customer information in any way.
  • Only publicly disclose a vulnerability with our specific consent. (See Disclosure below for more details.)
  • Please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.
  • Please don’t create an excessive number of accounts for testing.
  • Avoid using site-wide scanners. Researchers who wish to should be using targeted scanning tools in order to prevent affecting the production environment. If you notice any performance degradation with your use of targeted scanning tools, you must stop using them.
  • Be mindful with the rate and scope of automated scanning tools.
  • Account Freezes: there are situations where during testing your account may be frozen due to fraud protection measures. If this happens, please reach out to [email protected].
  • Because of US Government restrictions, researchers working from Iran, North Korea, Syria, Sudan, or Cuba are not eligible to participate in the IronCore Labs Bug Bounty Program.
  • You must be at least 18 years of age to participate in the IronCore Labs Bug Bounty program.

Public Disclosure

We will move as quickly as we can to remedy any critical issues, test the remedies, and get fixes out to customers. We ask that you wait until we’ve pushed out these fixes before you publicly disclose any issues. In some cases, we may need some extra time so that customers can update their SDK versions.

Any public vulnerability disclosure that does not have our written consent will result in you being ineligible for the IronCore Labs Bug Bounty Program.

Scope

Targets

The following targets are considered in scope:

  • api.ironcorelabs.com
  • admin.ironcorelabs.com
  • recrypt: transform encryption library: may be downloaded here*.
  • SDK: may be downloaded here**.
* Note that github.com is NOT in scope.
** Note that npmjs.com is NOT in scope.

Important: Please note that any vulnerabilities found on IronCore’s main webpage, ironcorelabs.com, or not list in the list above, are considered out of scope for this bug bounty program.

Focus Areas

This program is focused on vulnerabilities in IronCore Labs’ developer APIs and SDK.

  • Developer API vulnerabilities.
  • Unauthenticated access to users’ accounts / information, especially PII (Personally Identifiable Information).
  • Encryption issues not including side-channel issues in the SDK. Documentation can be found at: https://docs.ironcorelabs.com

Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.

Out-of-Scope and Vulnerability Exclusions

IronCore’s Main Website: Please note that any vulnerabilities found on IronCore’s main webpage, ironcorelabs.com, or on domains that are not listed in the Targets section are considered out of scope and are not eligible for IronCore’s bug bounty program.
 
  • DoS/DDoS
  • Service disruptions
  • Physical attacks, social engineering attacks, and phishing attacks of any kind.
  • 3rd party systems and solutions (any resource / service not managed by IronCore Labs).
  • Spam or any other mass distribution to customers, partners, etc.
  • Customer support channels (chat, phone, email, etc.) – If you have any questions or issues while testing, please send an email to [email protected].
  • Security reports that don’t pertain to IronCore Labs. If you’re sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
  • Flaws specific to out of date browsers/plugins.
  • Browser functions controlled by the client, such as if a vulnerability is found in a specific implementation of the Web Crypto API.
  • Malicious code running on a host site
  • Malicious code running in a browser plugin
  • Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.
  • Cross-site request forgery.
  • Clickjacking, as well as any issues only exploitable through clickjacking.
  • Lack of the Secure flag on non-sensitive cookies.
  • Cross-site Request Forgery issues submitted with a proof-of-concept containing a nonce.
  • Vulnerabilities identified with automated tools (including web scanners) that do not include proof of concept code or a demonstrated exploit.
  • Descriptive error messages.
  • HTTP 404 or other HTTP error codes/ pages.
  • Disclosure of known public files or directories, e.g. robots.txt.
  • Spelling errors, UI and UX bugs.
Priority Reward
P1 $1,000 – $2,000
P2 $600 – $1,000
P3 $200 – $600
P4 $100 – $200
P5 unrewarded

Swag

IronCore Labs will be rewarding researchers with T-shirts for submission of a valid P3-P1 vulnerability. You will be contacted after the submission has been verified and reviewed. IronCore Labs will make a best effort (but no guarantee) to get qualifying researchers their swag. Sadly, it is very difficult to ship packages to some places in the world.