The purpose of this document is to create processes and rules guiding the communication and reward process related to vulnerability reports which external security researchers provide.
The program acts as a source for the vulnerability management program and therefore the associated vulnerability intelligence collection process.
The bug bounty program is limited to vulnerabilities affecting the Passbase products or infrastructure included in the Information Security Management System. The vulnerabilities affecting third-party hosted platforms are not included in the scope of this program.
The Head of Security is responsible for the reward mechanism, with the support of the Passbase operations effort which will pay the reward.
Security researchers must fill the form at https://forms.gle/piEvEVzCLNoJdMvR7
Once the vulnerability report is received through authorized channels, the report must be traced using the methodology described in the vulnerability management program.
Vulnerability reports are linked to sources.
New report sources must be traced, as described in the Intelligence Program.