Last updated: December 2024
This document outlines the complete rules, guidelines, and legal terms governing participation in the SindrX Bug Bounty Program. By participating, you agree to abide by all terms herein.
To participate in the SindrX Bug Bounty Program, you must meet the following requirements:
You must be at least 18 years of age, or have verifiable parental or legal guardian consent if you are between 14-17 years old. Participants under 14 are not eligible.
You must not be a current or former (within the last 12 months) employee, contractor, or consultant of SindrX or any of its subsidiaries. Immediate family members of such persons are also excluded.
You must not reside in a country under U.S. sanctions (including but not limited to: Cuba, Iran, North Korea, Syria, and the Crimea region). You must be legally permitted to participate in security research activities in your jurisdiction.
You must be able to provide valid tax documentation if required. For U.S. persons, this includes a W-9 form. For non-U.S. persons, a W-8BEN or equivalent may be required for payments exceeding $600 USD.
| Asset | Type | Priority |
|---|---|---|
| *.sindrx.com | Web Application | Critical |
| api.sindrx.com | REST API | Critical |
| SindrX iOS App | Mobile Application | High |
| SindrX Android App | Mobile Application | High |
| Authentication Systems | Identity & Access | Critical |
All security research must be conducted in accordance with the following rules. Violation of these rules may result in immediate disqualification, forfeiture of rewards, and potential legal action.
Only access data or systems to the extent necessary to confirm the vulnerability exists. Do not access, modify, delete, or exfiltrate any data beyond what is strictly necessary for demonstration.
Do not access, view, copy, or store personal data of any SindrX user. If you inadvertently encounter personal data, stop immediately, do not save it, and report it to us.
Do not perform any testing that could degrade, disrupt, or deny service to SindrX or its users. This includes but is not limited to: DoS/DDoS attacks, resource exhaustion, and automated scanning at high rates.
Only test against accounts you own or have explicit permission to test. Create your own test accounts for research purposes. Never attempt to access other users' accounts.
Report vulnerabilities to SindrX as soon as reasonably possible after discovery, ideally within 24 hours. Do not attempt to exploit the vulnerability beyond initial verification.
Do not publicly disclose any vulnerability details before receiving explicit written authorization from SindrX. Coordinated disclosure is typically permitted 90 days after the fix is deployed.
Act in good faith throughout your research. If you are uncertain whether an action is permitted, ask us first at security@sindrx.com before proceeding.
The following activities are strictly prohibited and will result in immediate disqualification, forfeiture of any pending rewards, and may result in legal action:
High-quality reports help us understand and fix vulnerabilities quickly. Please include the following information in your report:
| Severity | CVSS Range | Reward Range |
|---|---|---|
| Critical | 9.0 - 10.0 | $10,000 - $15,000 |
| High | 7.0 - 8.9 | $5,000 - $10,000 |
| Medium | 4.0 - 6.9 | $1,000 - $5,000 |
| Low | 0.1 - 3.9 | $100 - $1,000 |
SindrX is committed to working with security researchers in a constructive, collaborative manner. We believe that security research conducted in good faith should be protected.
Safe Harbor protections apply when the researcher:
This Bug Bounty Program and any disputes arising from it shall be governed by the laws of the State of Delaware, United States, without regard to its conflict of law provisions.
SindrX's total liability for any claims arising from this program shall not exceed the bounty amount paid or payable for the specific vulnerability report in question. SindrX shall not be liable for any indirect, incidental, special, consequential, or punitive damages.
By submitting a vulnerability report, you grant SindrX a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license to use, reproduce, modify, and distribute your report and any associated materials for the purpose of addressing the vulnerability and improving our security.
Any disputes regarding severity assessment, reward amounts, or program eligibility will be resolved at SindrX's sole discretion. Our security team's decisions are final. For disputes regarding legal matters, both parties agree to attempt resolution through good-faith negotiation before pursuing formal legal action.
You agree to indemnify and hold harmless SindrX, its officers, directors, employees, and agents from any claims, damages, or expenses arising from your violation of these program rules or any applicable laws.
All vulnerability reports and related communications are considered confidential information. By participating in this program, you agree to:
SindrX may publicly acknowledge your contribution (with your consent) and may publish sanitized details of resolved vulnerabilities in security advisories.
SindrX reserves the right to modify these program rules at any time. Changes will be effective immediately upon posting to this page. The "Last updated" date at the top of this document indicates when the most recent changes were made.
Significant changes to scope, rewards, or legal terms will be announced via email to active researchers and on our security blog. Your continued participation in the program after changes are posted constitutes acceptance of the modified terms.
Reports submitted before a policy change will be evaluated under the terms in effect at the time of submission.