Bug bounty program
Last updated:
April 7, 2023
Bug bounty program
Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of MPCVault. Issues may receive a lower severity due to the presence of compensating controls and context. The amounts shown in the table should be considered the MAXIMUM amounts for each severity level, though bonuses may be given at MPCVault's discretion.
MPCVault Vulnerability Research Program (VRP) - Program Policy
Introduction
At MPCVault, we take security and privacy very seriously. If you believe that you have found a security vulnerability that affects any MPCVault product or service, please report it to us. You may report a vulnerability using the “Submit Report” button on this page. Reports that fall within the scope of the MPCVault Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate your efforts in helping protect customer trust and make MPCVault more secure.
Who Can Participate in the Program
MPCVault customers and security researchers who discover a potential security finding within MPCVault products or services can report it to the VRP program. MPCVault employees and contractors, as well as their immediate family members are strictly prohibited from participating in the public bounty program, or sharing information with an external security researcher to bypass this prohibition (in which case all parties are ineligible under this program).
How VRP Program Works
Security researchers and customers of MPCVault are encouraged to report any behavior impacting the information security posture of MPCVault products and services.
If you are performing research, you are required to use your own accounts and are not authorized to access or otherwise interact with other people’s accounts or data. If, during your testing, you discover a vulnerability that could allow you to bypass an authentication control and gain access to another account, you should report the vulnerability but not take further action with the other account or its data.
Document your findings thoroughly, providing steps to reproduce and send your report to us.
Reports with complete vulnerability details, including screenshots or videos, are essential for a quick response.
We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.
We will work with the affected teams to validate the report.
We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply with all parts of this policy and you must be the first to report the issue to us. You must be 18 or older to be eligible for an award.
We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.
We will work with the affected teams to make necessary improvements and remediation.
Qualified researchers who regularly submit high quality findings can be added to MPCVault's Private Program (invited researchers only).
Services and Products in Scope
Bounty eligible findings are limited to the following marketplaces and mobile apps:
(Note: Please check Scopes section for complete details on latest in-scope assets)
MPCVault Android and iOS Apps
You are not authorized to test any asset, domain, or IP address outside the scope of the MPCVault Vulnerability Research Program. Individuals who otherwise become aware of an out-of-scope vulnerability may report the security finding for our review. If the researcher is not able to demonstrate the impact on bounty eligible assets then that finding will not be considered for the rewards.
Reports of zero-day vulnerabilities (vulnerabilities that were not previously known to the security community) within in-scope services and products will be eligible for an award at our discretion if the report provides significant insight that assists MPCVault security teams with remediation efforts, or has not previously been identified by another researcher on our own vulnerability response program.
Legal Safe Harbor
MPCVault will not bring any legal action against anyone who makes a good faith effort to comply with program policies, or for any accidental or good faith violation of this policy. This includes any claim under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to protect the services and applications eligible under this policy.
As long as you comply with this policy:
We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.
We consider your security research to be “authorized” under the Computer Fraud and Abuse Act and related laws. This limited authorization does not provide you with authorization to access company data or another person’s account.
We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this program in accordance with the terms of, for the limited purpose of your security research under this policy.
Don’t do anything illegal or unethical. You are responsible for complying with local laws, restrictions, regulations, etc.
To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:
Share your PII with third parties
Share your research without your permission
Share your HackerOne points, or participation without your permission
If Your Account is Banned or Blocked by Vulnerability Research Activities
Follow on-screen instructions when you log in into your MPCVault account for recovery
Be prepared with a recent card statement available to prove ownership
The account will typically be restored within 24 hours
Research Guidance
Reference HackerOne guidance on writing quality reports:
Responsible Disclosure Policy
Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party. Do not threaten or attempt to extort MPCVault. MPCVault commits to timely remediation of your findings, and prompt response to relevant questions.
Non-eligible Vulnerabilities
Subdomain Takeover
Clickjacking
Self XSS
Email Spoofing - SPF Records Misconfiguration
Out-of-Scope Issues
Security Practices where other mitigating controls exist i.e. missing security headers, etc.
Social Engineering, Phishing
Physical Attacks
Missing Cookie Flags
CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.
Content Spoofing
Stack Traces, Path Disclosure, Directory Listings
SSL/TLS controls where other mitigating controls exist
Banner Grabbing
CSV Injection
Reflected File Download
Reports on Out of dated browsers
Reports on outdated version/builds of in-scope Mobile Apps
DOS/DDOS
Host header Injection without a demonstrable impact
Scanner Outputs
Vulnerabilities on Third-Party Products
User Enumeration
Password Complexity
HTTP Trace Method