White Hat Program

Welcome to the SaveYa’s bug bounty program

If you believe you have found a vulnerability on our site please read below before reporting.

Each submission should be send separately with attached proof of concept to: bugbounty@saveya.com.

All submissions and contact must be sent to the appropriate submission email. All other communication will be disregarded unless an individual specifically reaches out to you. Please do not ask for updates our your submissions, we will post them to your submission as quickly as we can.

In order to have a submission be honored, please follow the submission policy and the responsible disclosure policy. We will try to investigate all legitimate submissions and quickly remediate the vulnerability.

Rewards will only be awarded to the first person who submitted the vulnerability, duplicates will not be awarded a reward.

Rewards will range from your name on our acknowledgements page to a monetary reward.

In the event your submission is deemed valid for reward, we may do a partial reward when the vulnerability is first verified and then an additional reward once the vulnerability has been fixed. The format and timing of all bounty rewards shall be determined in our sole discretion.

Responsible Disclosure Policy

If you comply with the policies below when reporting a security issue on our site, we will honor your submission if deemed valid and non-duplicate:

  • You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others. You may not publicly disclose your findings or the contents of your submission(s) in any way without our prior written approval. If any details of your submission are disclosed, it will not longer be deemed valid and will not be honored.
  • If your submission is deemed duplicate, please adhere to not publicly disclosing your findings out of respect to the original submission by another bug bounty program.
  • Anyone found to have disclosed information about submissions or findings will be ineligible for any rewards from our program from there on.
  • You avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
  • You do not interact with any individual’s account (modifying or accessing data from the account) if the account owner has not consented to such actions.
  • You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
  • You do not violate any other applicable laws or regulations.

Bug Bounty Program Scope

The scope of this program is limited to technical vulnerabilities in our browser extensions, mobile, and web applications. If you are unsure whether a service or a finding is eligible for a bounty or not, feel free to ask us at bugbounty@saveya.com. Below are some specific examples of eligible and ineligible submissions to help guide your research.

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. The program covers any exploitable vulnerability that can compromise the integrity of our user data, crash applications (leading to compromise of data) or disclose sensitive information. Common examples include but are not limited to:

  • SQL Injection
  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
  • information disclosure of sensitive data
  • Server-side code execution bugs.

Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, or do any other questionable things. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.

Final say on a submission falling in the scope of the program is left to our security department.

Out of Scope

  • Self XSS
  • Descriptive error messages (e.g. stack traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users.
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Weak Captcha/Captcha Bypass.
  • Denial of Service
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled.
  • HTTPS Mixed Content Scripts.
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)
  • Misconfigured or lack of SPF records
  • Out of date software versions
  • Vulnerabilities dependent upon social engineering techniques
  • Vulnerabilities in non-web applications
  • Outdated Browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer versions prior to version 8.
  • htaccess
  • config files
  • host header

Attributes of a Good Report

When submitting a finding, please submit one finding at a time. For each finding please follow below for proper way to submit to our program.

  • Make sure your submission report includes the proof of concept and replication information.
  • Detailed steps in your message explaining how to reproduce the bug. This should include any links you clicked on, pages you visited, URLs, user IDs, etc. Images and video can be helpful if you also include written explanations.
  • Clear descriptions of any accounts used in your report and the relationships between them. Please do not use the same name on multiple accounts to avoid confusion.
  • Please add your testing IP addresses.
  • Quality before quantity. Often just a few lines of precise, clear explanations will do.
  • If you send a video, consider these tips:
    • Keep it short by showing only the parts necessary to demonstrate the bug once. (Remove or redo mistakes that might happen while recording.)
    • Record at a resolution where text or URLs are readable (at least 480p; 1080p is usually not necessary).
    • Provide commentary or instructions in your messages or video description instead of typing on-screen during the video.
    • Setting our sites to English while recording steps helps us quickly identify what features you use.
    • If a large amount of text appears in your video, please include a copy in your messages as well.
    • Keep the video private either by uploading it as an attachment or posting it privately online (such as with a hidden link or password that you send to us).

If you are selected as a recipient of a reward, and if you accept, we will need your contact details to process the submission’s reward. This includes: Full name (first and last), address, Paypal account name, email. You can still request not to be listed on our public credits page. There is an acknowledgment page to show who has found vulnerabilities for our program, that page can be seen here.

Legal points

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

This is not a competition, but rather a discretionary rewards program. You should understand that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion.

Your testing must not violate any law, or disrupt or compromise any data that is not your own.