Overview

Our Bug Bounty Program is designed to reward people like you who follow responsible disclosure principles by reaching out to us when you’ve identified a vulnerability which would impact the security of our platform or our customers.

To participate you need to follow the simple guidelines below. We may, at our discretion, have to delete and block test accounts that are found to be abusing our testing guidelines.

Who can participate?

Anyone who doesn’t work for IronCore Labs or our partners is eligible for a bounty, but anyone can submit an issue to us as part of responsible disclosure practices.

How to submit?

To disclose an issue for our bug bounty program, please fill out this form. If you have more information to disclose, files to attach, or feel that the issue is critical and should be looked at immediately, please also email [email protected].

We support secure submission via PGP/GPG. Please encrypt your email to the public key 0x5AF78B08403AA91A.

Before submitting, please review the guidelines, scope, and other information below to understand what you should and shouldn’t do and what is eligible or not eligible for a bounty.

Guidelines

Vulnerability reports MUST have a proof of concept or detailed step-by-step explanation of the security issue so we can reproduce it.
Please check the Scope section for a list of which systems and classes of vulnerabilities are accepted.
IronCore awards larger bounties for higher quality reports that include reproduction steps and the impact on users.
We encourage researchers to include screenshots or video in their bug submissions that demonstrate the bug in action. These screenshots or video cannot be uploaded to public locations such as public Youtube videos. We can provide ways to share large files securely if needed. Just email us.
Include your recommendations to resolve reported issues, if any.
We do not respond to extortion or abusive or threatening language.
Research in good faith.
Don’t leave any system that you are accessing in a worse state than when you found it.
We need to be able to contact researchers for additional information. If seven days elapses with no response after we contact you, we may close a submission, making you ineligible for reward.
Never publicly disclose customer information. This is a hunt for bugs, not for customer data. If you find a way to access customer information while you are researching, please stop and report it to our bug bounty team. Continuing is not authorized, and you are not authorized to copy, store, transfer, or disclose customer information in any way.
Only publicly disclose a vulnerability with our specific consent. (See Disclosure below for more details.)
Please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.

Please don’t create an excessive number of accounts for testing.
Avoid using site-wide scanners. Researchers who wish to should be using targeted scanning tools in order to prevent affecting the production environment. If you notice any performance degradation with your use of targeted scanning tools, you must stop using them.
Be mindful with the rate and scope of automated scanning tools.
Account Freezes: there are situations where during testing your account may be frozen due to fraud protection measures. If this happens, please reach out to [email protected].
Because of US Government restrictions, researchers working from Iran, North Korea, Syria, Sudan, or Cuba are not eligible to participate in the IronCore Labs Bug Bounty Program.
You must be at least 18 years of age to participate in the IronCore Labs Bug Bounty program.

Public Disclosure

We will move as quickly as we can to remedy any critical issues, test the remedies, and get fixes out to customers. We ask that you wait until we’ve pushed out these fixes before you publicly disclose any issues. In some cases, we may need some extra time so that customers can update their SDK versions.

Any public vulnerability disclosure that does not have our written consent will result in you being ineligible for the IronCore Labs Bug Bounty Program.

Scope

Targets

The following targets are considered in scope:

api.ironcorelabs.com
admin.ironcorelabs.com
recrypt: transform encryption library: may be downloaded here*.
SDK: may be downloaded here**.

* Note that github.com is NOT in scope.
** Note that npmjs.com is NOT in scope.

Important: Please note that any vulnerabilities found on IronCore’s main webpage, ironcorelabs.com, or not list in the list above, are considered out of scope for this bug bounty program.

Focus Areas

This program is focused on vulnerabilities in IronCore Labs’ developer APIs and SDK.

Developer API vulnerabilities.
Unauthenticated access to users’ accounts / information, especially PII (Personally Identifiable Information).
Encryption issues not including side-channel issues in the SDK. Documentation can be found at: https://docs.ironcorelabs.com

Production Environment: Please note that this program scope is a production environment. With that in mind, please be sure to avoid harming infrastructure, interacting with customers, and attempting to access, manipulate, and/or attack accounts you do not explicitly own.

Out-of-Scope and Vulnerability Exclusions

IronCore’s Main Website: Please note that any vulnerabilities found on IronCore’s main webpage, ironcorelabs.com, or on domains that are not listed in the Targets section are considered out of scope and are not eligible for IronCore’s bug bounty program.

DoS/DDoS

Service disruptions

Physical attacks, social engineering attacks, and phishing attacks of any kind.

3rd party systems and solutions (any resource / service not managed by IronCore Labs).
Spam or any other mass distribution to customers, partners, etc.
Customer support channels (chat, phone, email, etc.) – If you have any questions or issues while testing, please send an email to [email protected].

Security reports that don’t pertain to IronCore Labs. If you’re sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.

Flaws specific to out of date browsers/plugins.

Browser functions controlled by the client, such as if a vulnerability is found in a specific implementation of the Web Crypto API.

Malicious code running on a host site

Malicious code running in a browser plugin

Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.

Cross-site request forgery.

Clickjacking, as well as any issues only exploitable through clickjacking.
Lack of the Secure flag on non-sensitive cookies.
Cross-site Request Forgery issues submitted with a proof-of-concept containing a nonce.
Vulnerabilities identified with automated tools (including web scanners) that do not include proof of concept code or a demonstrated exploit.
Descriptive error messages.
HTTP 404 or other HTTP error codes/ pages.
Disclosure of known public files or directories, e.g. robots.txt.
Spelling errors, UI and UX bugs.
Reports of missing SPF records for domains with no MX record

Rewards

This program uses the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Submitting a bug can qualify for a reward if you were the first researcher to alert us to a previously unknown issue, and the issue triggers a code or configuration change.

IronCore Labs pays rewards using PayPal.

Priority	Reward
P1	$1,000 – $2,000
P2	$600 – $1,000
P3	$200 – $600
P4	$100 – $200
P5	unrewarded

Swag

IronCore Labs will be rewarding researchers with T-shirts for submission of a valid P3-P1 vulnerability. You will be contacted after the submission has been verified and reviewed. IronCore Labs will make a best effort (but no guarantee) to get qualifying researchers their swag. Sadly, it is very difficult to ship packages to some places in the world.

Legal

IronCore Labs reserves the right to modify terms and conditions of the IronCore Labs Bug Bounty Program, or to cancel this program at any time. Your participation in the program constitutes acceptance of all terms. Any changes to this page are effective as of the time of posting.