🛡️ SECURITY FIRST

Bug Bounty Program: Earn 100+ Hours

Help us keep Drytis secure. Find bugs, report vulnerabilities, and earn significant rewards.

Critical
500 Hours
($2,500 value)
High
200 Hours
($1,000 value)
Medium
100 Hours
($500 value)
Low
50 Hours
($250 value)

Bug Severity Classifications

🔴

Critical (500 Hours)

Vulnerabilities that could lead to:

  • Remote code execution
  • Complete system compromise
  • Unauthorized admin access
  • Mass data breach
  • Complete authentication bypass
Example: SQL injection allowing database access, RCE vulnerability in code execution
🟠

High (200 Hours)

Security issues that could cause:

  • Unauthorized data access
  • Account takeover
  • Privilege escalation
  • Significant data loss
  • XSS with session hijacking
Example: IDOR exposing user data, stored XSS, authentication flaws
🟡

Medium (100 Hours)

Bugs that result in:

  • Limited data exposure
  • Functionality disruption
  • Reflected XSS
  • CSRF vulnerabilities
  • Information disclosure
Example: CSRF on non-critical actions, clickjacking, rate limiting bypass
🟢

Low (50 Hours)

Issues including:

  • UI/UX bugs
  • Minor information leaks
  • Non-exploitable issues
  • Best practice violations
  • Performance issues
Example: Missing security headers, verbose error messages, minor UI glitches

In-Scope Assets

✅ Eligible for Bounty

Web Application

  • app.drytis.com
  • api.drytis.com
  • *.drytis.com (production only)

Mobile Apps

  • iOS App (latest version)
  • Android App (latest version)
  • Mobile API endpoints

Infrastructure

  • Authentication systems
  • Payment processing
  • Data storage & handling

❌ Out of Scope

Excluded Items

  • Third-party services
  • Social engineering attacks
  • Physical attacks
  • DoS/DDoS attacks
  • Automated scanning without permission
  • Testing on other users' data

Report a Bug

📋 Submission Guidelines

  • One vulnerability per report
  • Include clear proof of concept
  • Don't perform destructive testing
  • Don't access other users' data
  • Report immediately upon discovery
  • Keep findings confidential until fixed

Security Hall of Fame

Recognizing our top security researchers

🥇

SecurityNinja

15 vulnerabilities reported

2,500 hours earned

🥈

BugHunter42

12 vulnerabilities reported

1,800 hours earned

🥉

CyberSec_Pro

8 vulnerabilities reported

1,200 hours earned

Recently Fixed Vulnerabilities

Dec 15, 2023

Stored XSS in User Profile

Fixed a stored XSS vulnerability in user profile descriptions. Thanks to @SecurityNinja!

High Severity
Dec 10, 2023

IDOR in Project Sharing

Resolved unauthorized access to private projects through ID manipulation. Reported by @BugHunter42

Medium Severity
Dec 5, 2023

Rate Limiting Bypass

Implemented proper rate limiting on authentication endpoints. Credit to @CyberSec_Pro

Low Severity

Bug Bounty FAQ

How quickly will I hear back?

We aim to respond within 24-48 hours for critical issues, 3-5 days for others. You'll receive confirmation of receipt immediately.

Can I report multiple bugs?

Yes! Report as many as you find. Each valid bug earns rewards. Submit separate reports for each vulnerability.

What about duplicate reports?

First valid report gets the reward. If you reported within 24 hours of the first report, you may receive partial credit.

Can I disclose the bug publicly?

Please wait for our permission after the fix is deployed. We support responsible disclosure and will credit you publicly.

What testing tools can I use?

Manual testing and common security tools are allowed. No automated scanners without permission. No DoS testing.

Are there bonus rewards?

Yes! Exceptional reports with clear PoC, impact analysis, and fix suggestions may receive up to 50% bonus hours.

Security Resources

📚

Testing Guidelines

Best practices for security testing on our platform
🔍

OWASP Top 10

Common vulnerabilities to look for
🛠️

Testing Tools

Recommended security testing tools
📧

Contact Security Team

security@drytis.com