Safety Bug Bounty Program

Safety Cybersecurity Shield logo
Image displaying code in the shape of an insect, conveying a "bug"

Safety invites independent security groups and individual researchers to study it across all platforms and help us make it even safer for our customers. If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us so that we can address it as soon as possible. For Security related bugs/vulnerabilities, we offer rewards.

Please note that only genuine security issues are eligible for rewards.

In case of any issues related to fraud, please report them to: info@safetycli.com.

Guidelines

Participating in Safety's bug bounty program requires you to follow our guidelines. Responsible investigation and reporting includes, but not limited to the following:

  • Don't violate the privacy of other users, destroy data, disrupt our services, etc
  • Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users
  • Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc
  • In case you find a severe vulnerability that allows system access, you must not proceed further
  • It is Safety's decision to determine when and how bugs should be addressed and fixed
  • Disclosing bugs to a party other than Safety is forbidden, all bug reports are to remain at the reporter and Safety's discretion
  • Exploiting or mis-using the vulnerability for own or others benefit will automatically disqualify the report

In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.

Eligibility

Generally speaking, any bug that poses a significant vulnerability could be eligible for reward. But it's entirely at our discretion to decide whether a bug is significant enough to be eligible for reward. Security issues that typically would be eligible (though not necessarily in all cases) include:

  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Code Executions
  • SQL injections
  • Privilege Escalations
  • Authentication Bypasses
  • File inclusions (Local & Remote)
  • Protection Mechanism bypasses (CSRF bypass, etc.)
  • Leakage of sensitive data
  • Directory Traversal
  • Payment manipulation
  • Administration portals without authentication mechanism
  • Open redirects which allow stealing tokens/secrets

Ineligibility

Things that are not eligible for reward include:

  • Application stack traces (Path disclosures, etc.)
  • Self-type Cross Site Scripting
  • Denial of Service attacks
  • CSRF issues on actions with minimal impact
  • Brute force attacks
  • Security practices (banner revealing a software version, etc.)
  • Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website
  • Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc
  • Vulnerabilities affecting outdated or unpatched browsers / Operating Systems
  • Vulnerabilities in third party applications that make use of Safety's API
  • Bugs that have not been responsibly investigated and reported
  • Bugs already known to us, or already reported by someone else (reward goes to first reporter)
  • Issues that aren't reproducible
  • Issues that we can't reasonably be expected to do anything about

Rewards

  • All monetary rewards can ONLY be credited through PayPal. Recipients must be able to receive PayPal payments. KYC is required;
  • The minimum reward for eligible bugs is the equivalent of 30 USD;
  • Only one reward per bug;
  • Rewards over the minimum are at our discretion, but we will pay significantly more for particularly serious issues.

How to Report?

  • Email us as security@safetycli.com with "Bug Bounty" in the subject line;
  • Include as much information in your report as you can. We require a description of your findings, the steps needed to reproduce it, and the vulnerable component (i.e. API endpoint, etc.);
  • We prefer you to share screenshots / videos for PoC. Please upload these to your own Google Drive or any other upload service and share with us the links to those files in the form;
  • Include your correct name and email address so we can reach out to you.

Resolution

Please allow us up to 7 days to respond before sending another email on the matter.

Recent Blog Posts

Building an Effective Engineering Career Framework: A Practical Guide
December 11, 2024
Read more
Critical Supply Chain Attack Targets Ultralytics AI Library
December 10, 2024
Read more
CryptoAITools Supply Chain Attack: What It Means for Package Security
November 1, 2024
Read more
The New Cyber Threat Landscape: Key Insights from Canada’s 2025-2026 Cyber Threat Assessment
October 31, 2024
Read more
Safety CLI Team Uncovers Unpublished Vulnerability in TensorFlow: CVE-2023-33976
August 27, 2024
Read more
Understanding the Security Vulnerability in the llama-cpp-python Package
June 3, 2024
Read more

Secure Python Development

Stop Supply Chain Attacks Before They Start

Trusted by developers and data scientists at the world's most innovative companies.

Reduce vulnerability noise by 90%.
Get a demo today to learn more.

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
View our Privacy Policy for more information.