Bug Bounty Program

At Monitorator, we value the security and privacy of our users above all else. Our bug bounty program focuses on identifying and fixing vulnerabilities that may affect our platform's security and user data.

Reporting and Payment Policy

  • Rewards will only be given to the first researcher who reports each specific vulnerability
  • If a bug has already been reported, no reward will be given for additional reports of the same issue
  • Upon request, we can provide evidence of the original report date to verify priority
  • Payment will be processed once the vulnerability has been verified and accepted by our team

Program Scope

This program exclusively focuses on security vulnerabilities affecting:

  • Authentication and authorization system
  • Sensitive user data management
  • Integration system (Stripe, Google Analytics, Plausible)
  • API endpoints
  • Credentials and token protection
  • General platform security

Reward Levels

Critical (€400 - €500)

  • Unauthorized access to sensitive user data
  • Remote Code Execution (RCE)
  • Complete authentication bypass
  • Access to other users' integration credentials
  • Vulnerabilities allowing full access to user accounts

High (€300 - €400)

  • SQL Injection
  • Persistent Cross-Site Scripting (XSS)
  • Sensitive data exposure in APIs
  • Privilege escalation vulnerabilities
  • Permission manipulation between accounts

Medium (€200 - €300)

  • Reflected Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF) in critical functions
  • Payment system vulnerabilities
  • Configuration issues exposing sensitive information
  • Race conditions affecting data integrity

Low (€100 - €200)

  • Low-impact security vulnerabilities
  • Configuration issues that could lead to data exposure
  • CSRF in non-critical functions
  • Validation issues that could affect security

Out of Scope (Not Rewarded)

The following types of reports are not eligible for rewards:

  • UI/UX and layout issues
  • Responsive design bugs
  • Usability issues
  • Visual or cosmetic errors
  • Performance issues
  • Spam
  • Brute force attacks
  • Third-party system issues
  • Duplicate vulnerability reports

Note: In exceptional cases, we might offer a symbolic reward of up to €50 for particularly significant bugs, but this will be at our discretion and should not be considered a standard part of the program.

Reporting Process

  1. Send your detailed report to [email protected]
  2. Include clear steps to reproduce the vulnerability
  3. Provide evidence (screenshots, codes, etc.)
  4. Our team will review the report within 48-72 hours
  5. We will keep you informed of progress
  6. Once verified and accepted as the first report, we will process your reward

Program Rules

  • Do not perform tests that could affect real users
  • Do not perform denial of service attacks (DoS/DDoS)
  • Do not access, modify, or delete real user data
  • Maintain confidentiality until the vulnerability is fixed
  • Follow responsible disclosure practices

Hall of Fame

We publicly recognize researchers who have significantly contributed to our platform's security (with their consent).

Note on Duplicate Reports

If you report a vulnerability that has already been identified by another researcher:

  • We will inform you that the vulnerability has already been reported
  • No reward will be given for duplicate reports
  • If requested, we can provide the date of the original report (maintaining the anonymity of the first reporter)
  • We encourage you to continue participating in the program by looking for other vulnerabilities

We appreciate all efforts to improve Monitorator's security, even when we cannot offer a monetary reward for duplicate reports or issues outside the program's scope.