Givo's Bug Finders Program

The Givo Bug Finders Program was designed for those security-conscious users who help keep the Givo community safe from criminals and jerks. If you submit a bug that is within the scope of the program (as defined below), we will gladly reward you for your keen eye and skills.

Last Modified 13 Jan 2016

  • Eligibility and Responsible Disclosure

    The following domains and apps are within the scope of the program:

    - givo.me

    - Givo for iOS

    - Givo for Android

    - Givo for Windows Phone

  • Rewards

    Based on severity of the bug and completeness of the submission, which we will decide at our sole discretion, we offer three types of honoraria:

    - Minor: $200

    - Major: $400

    - Critical: $1000

  • Elegibility

    To be eligible, you must demonstrate a security compromise on any of these domains using a reproducible exploit, including the following:

    - Cross-site scripting exploits

    - Cross-site request forgery exploits

    - Authentication or authorization flaws

    - Official Givo mobile apps

    - Server-side code execution bugs

    - Injection flaws

    - Significant security misconfigurations

    Eligibility determinations will be made at our sole discretion.

    The more thorough the proof-of-concept, the higher the chance a payout will be awarded.

    We ask that you follow principles of responsible disclosure and give the Givo security team a reasonable amount of time to respond to and correct the submitted bug before you make it public.

    Exclusions from eligibility

    - Not making a responsible disclosure, per above.

    - givo.me/[yourusername] can be the *source* of an exploit, but not the *target*.

    - Bugs which require unlikely user interaction or phishing are not eligible.

    - Missing "best practices" HTTP headers, unless they can be demonstrated to lead to an exploit. Keep in mind, several Givo pages are designed to be frameable.

    - Vulnerabilities in third party components in use at Givo, depending on severity and exploitability. For instance, we try to keep up to date with OpenSSL versions but not all security issues impact Givo's configuration.

    - Any individual on an Australian state or federal criminal wanted list or restricted export control list is not eligible to participate.

    - This program is limited to technical vulnerabilities in Givo web or mobile applications.

    - Don't try black hat SEO techniques, spam people, and do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate significant volumes of traffic.

    - Do not compromise other users' accounts to prove your exploit. All proofs of concept should be executed using accounts that you own.

    - We don't work with vulnerability brokers. The purpose of this program is to fix bugs, not benefit third parties.

    Final notes

    We will make the final decision on bug eligibility and value. Don't treat this program like a game or competition. The program exists entirely at our discretion and may be canceled at any time. We of course thank you heaps for your contribution to the community.

Thanks for reading this.