Thank you for your interest in the Nivelo Bug Bounty Program. This document contains instructions on how to sign up and send us security reports.
We appreciate your help in making Nivelo as secure as possible by reporting potential issues to us. Thank you!
Nivelo Bug Bounty
At Nivelo, we take privacy and security seriously. We encourage security researchers to participate in our private (invite-only) bug bounty program, which is meant for security researchers to responsibly find, disclose, and help us resolve security vulnerabilities.
Our program is straightforward and consists of a simple set of rules that help protect both our company and those who find bugs and security vulnerabilities. To participate, please send a short introduction to [email protected] to get a testing account.
How we approach security issues
- Nivelo will not take legal action against anyone for disclosing vulnerabilities within these guidelines.
- We strive to follow up within 24 hours to all bug and vulnerability reports.
- We will provide a full write-up of steps we've taken to resolve any issues reported.
- Based on the validity, severity, and scope of each issue, we're happy to compensate researchers for their time and effort:
- Rewards vary based on criticality of the discovered vulnerability and scope of impact in terms of access and data exposure.
- We pay an hourly rate that is capped at 10 hours per week and bonus pay based on the severity of discovered vulnerabilities.
- Do ensure testing only includes sites and services that Nivelo directly operates. Nivelo will not accept reports for 3rd party services or providers that integrate with Nivelo through our API. Please contact 3rd parties directly to inform them of vulnerabilities using their bug bounty programs.
- Don't perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities include: brute forcing, denial of service (DoS), spamming, etc.
- Do perform actions to prove the scope of a vulnerability using good judgement of what constitutes a demonstration of generalizable scope. Modifying a row in a database to prove SQL injection is a reasonable way to prove you obtained write access to data without destroying the database. It is easy to see how SQL injections can be elevated to performing arbitrary actions on the data (which includes deleting rows but is not necessary as a reasonable demonstration).
- Don't disclose information about issues found until Nivelo has completed our investigation and resolution. After confirmation, you are welcome to document and publish any information about the issues you've found in accordance with ethical exposure guidelines and using your good judgement.
Out of Scope Vulnerabilities