Nugit Bug Reporting Policy
Maintaining platform security is a group effort and Nugit encourages independent security researchers to help us spot potential issues. To recognize and reward such efforts, we offer a bounty for reporting security vulnerabilities. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
Nugit may provide rewards to eligible reporters of qualifying vulnerabilities. The reward amount is up to USD$2,500 based on the severity of the reported vulnerability. Granting of rewards and the amount of the reward will remain at Nugit’s sole discretion.
Eligibility and Responsible Disclosure
We sincerely thank every researcher who submits valid reports that help us improve the security of the Nugit platform. However, only those that meet the following eligibility requirements may receive a reward:
- You must be the first reporter of a vulnerability.
- We cannot be legally prohibited from rewarding you.
- You may not publicly disclose the vulnerability prior to our resolution of said vulnerability.
- You must not be employed by Nugit or its subsidiaries or related entities.
- Each security issue must be reported in a separate email with a descriptive and accurate subject.
- You must not attempt to track, monitor, compromise, or otherwise possibly affect the safety or security or behaviour of any personnel or system that attempts to interact with your report.
We do allow for Nugit test account logins for researchers, mention you’re testing with bugcrowd and how you’d like to test by sending an email to email@example.com
As a condition of participation in this program, you hereby grant Nugit, its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Nugit in connection therewith, for any purpose.
You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Nugit and any other party. You are also responsible for any applicable taxes associated with any reward you receive.
We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively. Nugit is not responsible for any delays or inaction from emails that do not include firstname.lastname@example.org.
The following finding types are specifically excluded from the bounty:
- Highly intrusive scans and DoS/DDoS attacks are not allowed
- Non-informational error messages that do not reveal any information of value about implementation-specific details of, or the internals of, the underlying system or systems (no stack traces, no information leakage).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Self-XSS and issues exploitable only through Self-XSS.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Functional, UI and UX bugs and spelling mistakes.
- Weak password choice
- You may investigate or target vulnerabilities against your own or test accounts, but testing must not disrupt or compromise any data or data access that is not yours.
Rewards will be paid out via a registered PayPal account within 7 days of verifying the reported bug. All payments will strictly be made via Paypal only.
Please submit Bug report information and proof of concept to email@example.com and we will respond within 7 days. You may also use this email for any other questions you may have.