Nudge Bug Bounty Program

Your participation in our Bug Bounty Program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us (making a “Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”). Note that this program is currently private, and may require researchers to be vetted before accepting security reports.

Responsible Disclosure

  • Research and disclose in good faith.
  • Respect our users’ privacy.
  • No extortion, shake downs, or duress.
  • Don’t leave any system in a more vulnerable state than you found it.
  • Give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.  
  • Be respectful when interacting with our team, and our team will do the same.

Program Terms

The scope of Nudge’s Bug Bounty Program is focused on securing the data of our users. We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Nudge’s discretion, based on risk, impact, and other factors. Bounty rewards range from CAD$25-CAD$500. To potentially qualify for a bounty, you first need to meet the following requirements:

  • Adhere to Responsible Disclosure (see above)
  • Report a security bug: identify a vulnerability in our service or infrastructure which creates a security or privacy risk
  • Your report must describe a problem involving one of the products or services listed under “Bug Bounty Program Scope”
  • Submit your report to, and respond to any questions on that email thread.
  • If you inadvertently cause a privacy violation or disruption while investigating an issue, you must disclose this in your report
  • Do not interact with other Nudge accounts without consent

Note that your use of Nudge services is subject to Nudge Terms of Use found here: We may retain any communications about security issues you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.

Program Scope

To qualify for a bounty, report a security bug in one of Nudge’s products:

  • Nudge Web Application
  • Nudge Chrome Extension
  • Nudge Outlook Extension

Note that services not owned by Nudge (ie. WordPress) are not directly eligible under our bug bounty program. While we often care about vulnerabilities affecting services we use, we cannot guarantee this policy applies to services from other companies.

Out of Scope

  • Spam techniques
  • Denial-of-service or Distributed Denial-of-service attacks
  • Security issues in third-party systems to integrate with Nudge
  • Best Practice concerns
  • Vulnerabilities that cannot be used to exploit other users of Nudge
  • Physical or social engineering attempts (including against Nudge employees)
  • Vulnerability reports from automated tools without an explanation or validation of the particular issue