Fair Bug Bounty Program
This document provides the terms for a bug bounty program for those individual researchers in the security community that provide contributions to manage the security of our systems in support of our users. Please note this is an interim program and is subject to modification, updates and cancellation as we develop our program. Until such time as we develop and publish our program, we require researchers to abide by the terms of this document. If you follow terms outlined below, we will not initiate or recommend legal or other action against you in response to your report.
What we expect from you
- You must give us reasonable time to investigate, confirm and mitigate an issue you report to us before you make public any information about any vulnerabilities from your report.
- You must not access data for accounts that you do not own.
- You must make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data.
- You must make a good faith effort to avoid attacks that interrupt or degrade our services. DDoS/spam attacks are not covered by this program.
- You must not use scanners, fuzzers or any automated tools to find vulnerabilities without our consent.
- You must not conduct non-technical attacks such as phishing, social engineering or physical attacks against our employees, customers or infrastructure.
- You must not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
- You are not eligible to participate in this program if you are a resident of or make your submission from a country against which the United States has issued export sanctions or other trade restrictions, including Iran, Cuba, North Korea, Sudan and Syria, or if you are otherwise subject to restrictions as determined by the U.S. Office of Foreign Assets Control or other government agency.
- You are not eligible if you are an employee or contractor of us or our affiliates, or an immediate family member of a person employed or contracted by us or our affiliates, or less than 18 years old.
- When in doubt, email us at firstname.lastname@example.org
What can you expect from us
- We will respond as quickly as possible to your initial report.
- We will keep you updated throughout the process as we work to remediate the issue.
- Due to complexity and other factors, some vulnerabilities will require longer to address. In these cases, the vulnerability may need to remain non-public for a longer time to ensure that our security team has an adequate amount of time to address the vulnerability.
- We will let you know when the issue is fixed and when you can disclose it publicly.
- We will not take legal action against you if you have acted in good faith.
Good Faith Vulnerability Research and Disclosure
You must act in good faith when investigating and reporting vulnerabilities to us. Acting in good faith includes:
- Upholding the terms listed here. Failure to abide by the terms set forth here could result in non-payment and/or legal action if warranted.
- Respect our users’ privacy. You should only interact with accounts that you own, or with explicit permission from the account holder. If you encounter user information that you do not have permission to access during the course of your research you must:
- Stop immediately. Any further action is unauthorized by this program.
- Report access to user information immediately to email@example.com
- Do not use, save, copy, store, transfer, disclose or otherwise retain any such information
- Cooperate and work with us on further requests from us
- No extortion. Any vulnerability reporting should be done with no conditions or strings attached. Fair reserves the right to determine what we believe to be a reasonable payout for your efforts, and pay you based on our standards outlined below. Any attempt at extortion or ransom may result in legal action.
- Do no harm. You should never leave a system in a more vulnerable state than you found it. This means you should not be conducting testing or other activities that degrades, damages, destroys, or harms information within our systems or otherwise impacts our users.
Services In Scope
The following services are considered within the scope of this program:
- Fair mobile apps
Additional domains/services that we run may be eligible for this bug bounty program, but if they are not listed here, you should contact us at firstname.lastname@example.org before beginning any investigation.
Services Out Of Scope
Certain services are not within the scope of this bug bounty program. If a service is not expressly identified as within scope, you should assume it is out of scope. If you require further clarification on what services are within the scope of this bug bounty program, you should contact email@example.com beginning any investigation. Services that are not within the scope of this bug bounty program include, but are not limited to:
- Social media accounts run by Fair
- App store accounts owned by Fair
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for this program. Common examples include:
- XSS (Cross-site scripting)
- CSRF (Cross-site request forgery)
- SQL injection
- Authentication or authorization bugs
- Remote code execution
Non-technical vulnerabilities such as DDoS, phishing, breaking and entering are not qualified for our bounty program.
The following is a list of bugs that typically don’t qualify for bug bounties, however, this list is not exhaustive or definitive. When in doubt, contact us at firstname.lastname@example.org before beginning any investigation.
- Bugs that do not affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are out of scope.
- Bugs requiring very unlikely user interaction or remote edge cases of user activity.
- Disclosure of public information and information that does not present significant risk.
- Bugs that have already been submitted by another user, that we are already aware of, or that are classified as ineligible by Fair.
- Bugs that are in content/services not owned by Fair.
- Brute forcing of intended functionality.
- Leaking version or debugging information such as stack traces, path disclosure, or directory listings.
- Speculative reports or reports without enough information to confirm an issue.
- Reports recommending best practices without demonstrable proof of an actual issue.
Fair reserves the right to adjust payouts at our discretion, but in general we follow the following payout table to determine possible payout ranges for qualifying vulnerabilities, then use the severity of the vulnerability and other factors to determine a final payout amount. Please note previous payment amount will not be considered precedent for future payouts, as the security impact of an issue may vary significantly based on the passage of time or development timelines.
|Bug Type||Examples||Min Payout||Max Payout|
|Exposure of User Data||SQL injection, lack of authentication on an endpoint, etc.||$300||$5,000|
|Unauthorized Requests on Behalf of User/Employee||CSRF, leaking auth token, etc.||$200||$4,000|
|Remote Code Execution||Command injection, deserialization bugs||$500||$5,000|
|Executing code on the client||XSS||$100||$3,000|
|Other valid security vulnerabilities||Information disclosure, privilege escalation||$100||$2,000|