Vault12 Bug Bounty Program

The Bug Bounty Program is designed to reward security researchers who find vulnerabilities and report them to Vault12.


Priority Critical High Medium Low
USD USD USD USD
Vault12 iOS App $10,000 $2,000 $500 $250
Vault12 Android App $10,000 $2,000 $500 $250
True Entropty iOS App $2,500 $1,000 $500 $250
Vault12 Website $2,500 $1,000 $500 $250

Rewards are payable in USD, BTC, or ETH.

Policy


What is the Vault12 Bug Bounty Program?

Vault12 actively works with security researchers to help keep our products secure and our users safe. In the event that you find a security vulnerability, we ask that you promptly report the vulnerability to us via the "Submit Report" button on this page.

Disclosure

Please do not discuss any vulnerabilities (even those that were resolved) outside of this program without the express written consent from Vault12. In the event that Vault12 confirms a security vulnerability that you have reported to us, Vault12 will provide you with the option of being publicly recognized as having identified a security issue in our products in addition to the bounty reward.

Whitehat Safe Harbor

Vault12 will not initiate legal action against you for any research conducted consistent with our policies posted on this page, including good faith, accidental violations. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with the policies posted on this page.

What are the Program Rules?

Valid reports are any in-scope report that clearly demonstrates a software vulnerability that could be used to compromise the privacy or data of Vault12 or Vault12 users. Vault12 will determine in its sole discretion whether a report meets the criteria of our policies as well as the amount of any reward.

During your research, please adhere to the following guidelines:

  • Do not access or destroy another user's data, including any of Vault12's data.
  • Please provide detailed steps to reproduce the vulnerability, including any tools required.
  • Social engineering (e.g., phishing) is strictly prohibited.
  • Only interact with accounts and devices that you own or with which you have secured the owner's explicit permission.
  • Do not disclose any security vulnerabilities to any other party without the express written permission of Vault12.

Please note the following:

  • Vault12 does not have any products that allow users to sign in, and any reports related to signing in will be automatically rejected.
  • If you report any header configurations, you must provide step-by-step instructions showing how the current configuration (or lack thereof) can be used to compromise the data of Vault12 or its customers, and you must include the exact data that is compromised. Reports discussing theoretical scenarios will be automatically rejected.
  • If you report any DNS entries, you must provide step-by-step instructions showing how the current configuration (or lack thereof) can be used to compromise the data of Vault12 or its customers, and you must include the exact data that is compromised. Reports discussing theoretical scenarios will be automatically rejected.

Failure to adhere to these guidelines will result in your report being ineligible for a reward.

If we receive duplicate reports for a given security vulnerability, only the first report shall be eligible for a reward. In addition, if multiple vulnerabilities are caused by a single underlying vulnerability and those vulnerabilities are reported in separate reports, then only the first report shall be eligible for a reward.

Vault12 makes every effort to respond quickly to security vulnerability reports and will keep you updated throughout our process. As the severity and complexity of security vulnerabilities vary, so will our time to resolve the vulnerability. If more than 30 days have passed without Vault12 providing you with an update, please get in touch with us directly by emailing bug-bounty@vault12.com

Lastly, we reserve the right to modify or cancel our Bug Bounty Program anytime.

Scope:


In Scope

Out of Scope

  • Domain: vault12.com (report security issues here)
  • Domain: blog.vault12.com
  • Domain: eth.vault12.com
  • Domain: help.vault12.com
  • Domain: vote.vault12.com
  • Domain: medium.com/vault12
  • Any other service owned/operated by a third party upon which Vault12 has an account, including but not limited to: GitHub, Telegram, Twitter, Facebook, LinkedIn, and Instagram.

Thank You

Special thanks to the following for their work finding bugs:

  • Sachin Kalkumbe
  • Waqar Vicky
  • Nitin Goplani
  • Swapnil Patil
  • Shankar Acharya
  • Himanshu
  • Mohammed Israil (@mdisrail2468)
  • Yeshwanth
  • Ramit Gangwar
  • Rutvik Kalkumbe
  • Akash M (@0xbool / @booleanaire)
  • Mridul Rastogi

Get started now.

The Vault12 Guard app is now available from iOS and Android app stores.

appstore-iconplaystore-icon