Eligibility and Responsible Disclosure
The following domains and apps are within the scope of the program:
- Givo for iOS
- Givo for Android
- Givo for Windows Phone
Based on severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer three types of honoraria:
- Minor: $200
- Major: $400
- Critical: $1000
To be eligible, you must demonstrate a security compromise on any of these domains using a reproducible exploit, including the following:
- Cross-site scripting exploits
- Cross-site request forgery exploits
- Authentication or authorization flaws
- Official Givo mobile apps
- Server-side code execution bugs
- Injection flaws
- Significant security misconfigurations
Eligibility determinations will be made at our sole discretion.
The more thorough the proof-of-concept, the higher the chance a payout will be awarded.
We ask that you follow principles of responsible disclosure and give the Givo security team a reasonable amount of time to respond to and correct the submitted bug before you make it public.
Exclusions from eligibility
- Not making a responsible disclosure, per above.
- givo.me/[yourusername] can be the *source* of an exploit, but not the *target*.
- Bugs which require unlikely user interaction or phishing are not eligible.
- Missing "best practices" HTTP headers, unless they can be demonstrated to lead to an exploit. Keep in mind, several Givo pages are designed to be frameable.
- Vulnerabilities in third party components in use at Givo, depending on severity and exploitability. For instance, we try to keep up to date with OpenSSL versions but not all security issues impact Givo's configuration.
- Any individual on an Australian state or federal criminal wanted list or restricted export control list is not eligible to participate.
- This program is limited to technical vulnerabilities in Givo web or mobile applications.
- Don't try black hat SEO techniques, spam people, and do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate significant volumes of traffic.
- Do not compromise other users' accounts to prove your exploit. All proofs of concept should be executed using accounts that you own.
- We don't work with vulnerability brokers. The purpose of this program is to fix bugs, not benefit third parties.
We will make the final decision on bug eligibility and value. Don't treat this program like a game or competition. The program exists entirely at our discretion and may be canceled at any time. We of course thank you heaps for your contribution to the community.