Bug Bounty Program

Suggest Edits

Welcome to the Birdeye.so Bug Bounty Program!

At Birdeye.so, we are committed to maintaining the highest standards of security for our users. We invite security researchers to help us identify vulnerabilities in our systems. In return, we offer rewards for valuable contributions that help us improve our security posture.

Program Scope

In-Scope:

  • Main website: www.birdeye.so
  • API endpoints
  • [Coming soon] Mobile apps: Birdeye for iOS and Android

Out-of-Scope:

  • Internal corporate network
  • Third-party applications and services
  • Non-production environments
  • Social media accounts

Vulnerability Classification and Reward Structure

We classify vulnerabilities based on their impact and severity. The following table outlines the criteria for each classification and the corresponding reward range.

CategoryConditionsReward
Critical
(CVSS 9.0-10.0)		- Remote Code Execution (RCE)
- SQL Injection leading to unauthorized access to sensitive data
- Authentication bypass leading to account takeover
- Significant data leakage of personal or sensitive information
- Full system compromise		$5,000+
High
(CVSS 7.0-8.9)		- Cross-Site Scripting (XSS) that can lead to session hijacking or sensitive data exposure
- Privilege escalation to administrator level
- Security misconfigurations leading to sensitive data exposure
- Substantial impact on application availability (e.g., persistent DoS)		$1,000+
Medium
(CVSS 4.0-6.9)		- Cross-Site Request Forgery (CSRF) with significant impact
- Information disclosure that exposes non-sensitive data
- Directory traversal attacks
- Partial bypass of security controls		$500+

We don't offer monetary rewards for the Low (CVSS < 4 .0), but would love to hear your inputs if any. For those feedbacks, you can also let us know using our Feedback page: https://feedback.birdeye.so/

Rules and Guidelines

  • Eligibility: Only test the in-scope targets. Respect user privacy and do not access or modify data without permission.
  • Non-Disruption: Avoid actions that could disrupt our services (e.g., DDoS attacks).
  • Confidentiality: Do not disclose vulnerabilities publicly until they have been fixed.
  • Legality: Comply with all applicable laws and do not engage in unethical behavior.

Submission Process

  • Submit Vulnerabilities: Send an email to dev(at)birdeye.so to submit the report.
  • Required Information: Include a detailed description, steps to reproduce, the potential impact, and any relevant proof of concept (PoC) code or screenshots.
  • Acknowledgment: We will acknowledge receipt of your submission within 24 hours.
  • Communication: Regular updates will be provided on the status of the report.

Triage and Validation

Our internal security team will review and validate submitted vulnerabilities. The process includes:

  • Initial Review: Assessing the report for completeness.
  • Reproduction: Attempting to reproduce the vulnerability.
  • Impact Assessment: Determining the severity and potential impact.
  • Reward Determination: Deciding the appropriate reward based on the classification.

Continuous Improvement

We will regularly review and update the bug bounty program based on participant feedback and changes in our systems.

🛡️Join us in making Birdeye.so safer for everyone!🛡️

Updated 25 days ago