Please note that our security bounty only applies to our online application for Windows and Mac and the associated server (i.e. alpha.solaraccounts.co.uk). We will not accept security reports related to this website (i.e. www.solaraccounts.co.uk).
To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs. Bounties of between $50 and $4,000 (USD) are awarded at the discretion of the bug bounty team. We only pay individuals, and only one bounty per security bug will be awarded.
To submit a report of a security bug please email firstname.lastname@example.org.
To qualify for a bounty, you must:
Adhere to our Responsible Disclosure Policy (below).
Be the first person to responsibly disclose the bug.
Report a bug that could significantly compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure, such as: Broken Authentication, Circumvention of our permission models, Remote Code Execution, Privilege Escalation.
Make every effort to use a test account on the alpha system when investigating bugs, instead of a real account on a production system. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.
Not interact with other accounts without the consent of their owners.
Accept payment into a PayPal account (we will not issue cheques or perform bank transfers.)
Be willing to have your full name published on our website.
We will not pay a bounty for reports that describe:
Spam or social engineering techniques.
If you give us reasonable time to respond to your report before making any information public, and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.