Bug Bounty Program

phData considers privacy and security to be core functions of our organization. Earning and keeping the trust of our customers is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security issue that you believe we should know about, we would love to work with you.

Please let us know about it and we’ll make every effort to quickly correct the issue. You can report a security incident by emailing security@phdata.io.

Reporting

What you can report

You can report any number of weaknesses in our IT systems. If you spot a weakness, please contact us as soon as possible. Examples are:

  • Confidential data exposure
  • Cross-Site Scripting vulnerabilities (i.e. Stored, Reflected);
  • SQL Injection vulnerabilities;
  • Encryption weaknesses;
  • Remote Code Execution;
  • Authentication Bypass, Unauthorized data access;
  • XML External Entity;
  • S3 Bucket Upload;
  • Server-Side Request Forgery.

How to report a weakness

  • Provide your IP address in the bug report. This will be kept private for tracking your testing activities and to review the logs from our side.
  • You can report weaknesses to us by email: security@phdata.io. State concisely in your email what weakness(es) you have found. We will take action immediately.
  • Describe the found issue as explicit and detailed as possible and provide any evidence you might have. You can take into account that the notification will be received by specialists.
  • We will not accept only automated scanners output.
  • Particularly include the following in your e-mail:
  • Which vulnerability;
  • The steps you undertook;
  • The entire URL;
  • Objects (as filters or entry fields) possibly involved;
  • Screen prints are highly appreciated.

What will not be accepted

  • “Self” XSS;
  • HTTP Host Header XSS, X-Content-Type-Options, Content Security Policy without working proof-of-concept;
  • Incomplete/Missing SPF/DKIM;
  • Social Engineering attacks;
  • Denial of Service attacks.

What we do with your report

A team of security experts will investigate your report and will contact you within two work days to discuss the weakness, how you found it and follow-up action.

Your privacy

We will only use your personal details to take action based on your report. We will not share your personal details with others without your express permission.

Rules

Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary in order to find or demonstrate the weaknesses.

  • Secure your own systems as tightly as possible.
  • Do not use weaknesses you discover for purposes other than your own investigation.
  • Do not use social engineering to gain access to a system.
  • Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will weaken the system’s security.
  • Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.
  • Do not alter the system in any way.
  • Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others.
  • Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.

Reward

Yes, we pay between $50 USD and $1000 USD depending on the severity of the weaknesses you report. You are not necessarily entitled to compensation. The amount of the reward is not fixed in advance. phData determines the amount, based on the following:

  • The caution taken in your investigation
  • The quality of your report
  • The amount of potential damages prevented as a result of your report

want to learn more about the program?