Nudge Bug Bounty Program
Your participation in our Bug Bounty Program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us (making a “Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”). Note that this program is currently private, and may require researchers to be vetted before accepting security reports.
- Research and disclose in good faith.
- Respect our users’ privacy.
- No extortion, shake downs, or duress.
- Don’t leave any system in a more vulnerable state than you found it.
- Give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
- Be respectful when interacting with our team, and our team will do the same.
The scope of Nudge’s Bug Bounty Program is focused on securing the data of our users. We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Nudge’s discretion, based on risk, impact, and other factors. Bounty rewards range from CAD$25-CAD$500. To potentially qualify for a bounty, you first need to meet the following requirements:
- Adhere to Responsible Disclosure (see above)
- Report a security bug: identify a vulnerability in our service or infrastructure which creates a security or privacy risk
- Your report must describe a problem involving one of the products or services listed under “Bug Bounty Program Scope”
- Submit your report to firstname.lastname@example.org, and respond to any questions on that email thread.
- If you inadvertently cause a privacy violation or disruption while investigating an issue, you must disclose this in your report
- Do not interact with other Nudge accounts without consent
To qualify for a bounty, report a security bug in one of Nudge’s products:
- Nudge Web Application
- Nudge Chrome Extension
- Nudge Outlook Extension
Note that services not owned by Nudge (ie. WordPress) are not directly eligible under our bug bounty program. While we often care about vulnerabilities affecting services we use, we cannot guarantee this policy applies to services from other companies.
Out of Scope
- Spam techniques
- Denial-of-service or Distributed Denial-of-service attacks
- Security issues in third-party systems to integrate with Nudge
- Best Practice concerns
- Vulnerabilities that cannot be used to exploit other users of Nudge
- Physical or social engineering attempts (including against Nudge employees)
- Vulnerability reports from automated tools without an explanation or validation of the particular issue