Bug Bounty Policy
Introduction to Spark Hire's Bug Bounty Policy
How they’re submitted
Per our Privacy and Security Policy, security researchers may submit potential vulnerabilities to [email protected].
How we assess submissions
When a potential vulnerability is reported, we will create an issue in our ticket tracking system. From there, we will analyze and discuss it. If we can reproduce the issue, we will assign a severity. We welcome guidance on severity from the submitter, but ultimately we may choose a different severity rating. See the table below for our typical classification guidelines. Based on the classification, we determine next steps for remediation in accordance with the remediation timeline.
The SLAs defined below are the maximum SLA for remediation, not our goal or our average timeline.
|Critical||Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.||30 Days||$500|
|High||Exploitation could result in a significant data loss, exfiltration, or downtime.||30 Days||$250|
|Medium||Vulnerabilities where exploitation provides only very limited access or require user privileges for successful exploitation.||60 Days||$100|
|Low||Vulnerabilities in the low range typically have very little impact on an organization's business.||120 Days||$25|
|Informational||Vulnerabilities that have no practical attack vector or pose no measurable risk.||None||None|
When the remediation is performed, tested, and released to production, we will contact the security researcher who reported the vulnerability so they can confirm it is remediated from their perspective as well. Upon confirmation from the security researcher, we determine (and make) the payout.
As always, if you have any questions or concerns about our handling of personal information, you may contact our privacy officer at [email protected]