Bug Bounty Policy

Introduction to Spark Hire's Bug Bounty Policy

How they’re submitted

Per our Privacy and Security Policy, security researchers may submit potential vulnerabilities to [email protected].

How we assess submissions

When a potential vulnerability is reported, we will create an issue in our ticket tracking system. From there, we will analyze and discuss it. If we can reproduce the issue, we will assign a severity. We welcome guidance on severity from the submitter, but ultimately we may choose a different severity rating. See the table below for our typical classification guidelines. Based on the classification, we determine next steps for remediation in accordance with the remediation timeline.

The SLAs defined below are the maximum SLA for remediation, not our goal or our average timeline.

Classification	Definition	Remediation SLA	Payout
Critical	Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.	30 Days	$500
High	Exploitation could result in a significant data loss, exfiltration, or downtime.	30 Days	$250
Medium	Vulnerabilities where exploitation provides only very limited access or require user privileges for successful exploitation.	60 Days	$100
Low	Vulnerabilities in the low range typically have very little impact on an organization's business.	120 Days	$25
Informational	Vulnerabilities that have no practical attack vector or pose no measurable risk.	None	None

When the remediation is performed, tested, and released to production, we will contact the security researcher who reported the vulnerability so they can confirm it is remediated from their perspective as well. Upon confirmation from the security researcher, we determine (and make) the payout.

As always, if you have any questions or concerns about our handling of personal information, you may contact our privacy officer at [email protected]. Spark Hire reserves the right to change, modify, or remove this policy at any time.