top of page

Bug Bounty Program

WellDev is committed to building a strong relationship with the information security community. In order to reward the best external contributions that help us keep our users safe, we maintain a Bug Bounty Program for WellDev owned web properties.

Services in scope

Any WellDev owned web service that handles reasonably sensitive user data is intended to be in scope.
 

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. The program is limited to technical vulnerabilities in WellDev owned / used web applications. 

Please do not attempt to carry out DoS or DDoS attacks, social engineering, spamming or other similarly questionable things.

The following finding types are specifically excluded from the bounty
  • The use of automated scanners is strictly prohibited

  • Disclosure of known public files or directories, (e.g. robots.txt)

  • CSRF on forms that are available to anonymous users (e.g. the contact form)

  • CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine)

  • Logout Cross-Site Request Forgery (logout CSRF)

  • Login or Forgot Password page brute force and account lockout not enforced

  • OPTIONS HTTP method enabled

  • Username / email enumeration

  • Missing HTTP security headers, specifically these, e.g. Strict-Transport-Security; X-Frame-Options; X-XSS-Protection; X-Content-Type-Options; Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP; Content-Security-Policy-Report-Only; Cache-Control and Pragma.

  • HTTP/DNS cache poisoning

  • SSL/TLS Issues

    • e.g. SSL Attacks such as BEAST, BREACH, Renegotiation attack; SSL Forward secrecy not enabled; SSL weak/insecure cipher suites

  • Self-XSS reports will not be accepted.

    • Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.

  • Missing or incorrect email security DNS records of any kind (SPF, DMARC, …)

  • Information disclosure of non-confidential information

  • Email bombing/flooding/rate limiting

 

Non-qualifying vulnerabilities

Depending on their impact, some of the reported issues may not qualify if they do not present a considerable amount of risk to the business.

Reward amounts for security vulnerabilities

Our monetary rewards are loosely consistent with other known reward programs and the final amount is always chosen at the discretion of our reward panel. In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities or pay lower rewards for vulnerabilities that require unusual user interaction. We may also decide a single report actually constitutes multiple bugs or that multiple reports are so closely related that they only warrant a single reward. WellDev rewards bug bounty hunters on a first-come, first-served basis - the first comprehensive report for the same bug will be awarded the bounty.

Investigating and reporting bugs

When investigating a vulnerability, please only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to the users or to WellDev.

Please bear in mind we are interested in bugs, not user data. If you come across user information during the course of your research, do not save, store, copy, transfer, disclose, or otherwise retain this information and please report it immediately to us.

Please perform your research in good faith. Please don’t publicly disclose a vulnerability without our consent and review. Our pledge to you is to respond promptly and fix bugs in a sensible timeframe - and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will usually not qualify, but we will evaluate them on a case-by-case basis.

Legal points

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship.

There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather an experimental and discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

WellDev rewards bug bounty hunters on a first come, first served basis so if you find a vulnerability that has already been reported, we will not reward you.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.

To contact our information security team, please send an email to security@welldev.io.

bottom of page