Demo Sign Up

Bug Bounty

Thank you for your interest in our bug bounty program!

Responsible Research and Disclosure

You will follow the rules specified hereunder, failing which your participation in the Bug Bounty Program will be immediately terminated.

You will make all efforts to avoid privacy violations, degradation of user experience, degradation of Controlio Services, disruptions to Controlio's infrastructure and systems, and destruction of both Controlio's and users' data in the course of your security bug research.

You will report any security bug discovered by you ("Security Bug") to Controlio and provide Controlio with reasonable time (2 weeks) to identify and mitigate the security bug before publicly disclosing it to others.

During your security bug research, if you have any inadvertent access to Controlio's or users' information, including sensitive, personal, or any other unauthorized information ("Unauthorized Information"), you must cease your Security Bug research to prevent further access to any Unauthorized Information by you and notify Controlio of any Unauthorized Information you accessed. Upon notifying Controlio of such access, delete all Unauthorized Information from your systems or devices.

You will always use your account, or an account for which you have explicit consent from the account owner, for testing the Security Bug.

You will use any security bug discovered by you only for testing, and you will not exploit the Security Bug in any manner.

You are prohibited from performing Distributed Denial of Service (DDoS) testing or any activities that could potentially lead to service degradation, disruption, or outage. Engaging in such actions constitutes a violation of our program policy and may result in legal consequences.

You are prohibited from forcing follow ups and payment requests before the Security Bug report is processed by our team.

Scope

Our primary focus is dynamic services, particularly our Controlio web application (app.controlio.net, backend.controlio.net), while our static websites (workexaminer.com, controlio.net) are given lower priority.

Please note: We do not accept unvalidated automated reports. See Exclusions for a full list.

Exclusions

  • Missing any best security practice that is not a vulnerability
  • Self XSS
  • Username or email address enumeration
  • Email bombing
  • HTML injection
  • XSS vulnerabilities on sandbox or user-content domains
  • Unvalidated or open redirects or tabnabbing
  • Clickjacking in unauthenticated pages or in pages with no significant state-changing action
  • Logout or unauthenticated CSRF
  • Missing cookie flags on non-sensitive cookies
  • Missing security headers that do not lead directly to a vulnerability
  • Unvalidated findings from automated tools or scans (Nessus, OpenVAS, Qualys, Acunetix, Burp Suite Scanner, Rapid7 Nexpose, OWASP ZAP, etc.)
  • Issues that do not affect the latest version of modern browsers or platforms
  • Attacks that require physical access to a user device
  • Social engineering
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Low-impact descriptive error pages and information disclosures without any sensitive information
  • Invalid or missing SPF/DKIM/DMARC/BIMI records
  • Password and account policies, such as (but not limited to) reset link expiration or password complexity
  • Broken link hijacking
  • Phishing risk via Unicode/Punycode or RTLO issues
  • Missing rate limitations on endpoints (without any security concerns)
  • Presence of EXIF information in file uploads
  • Ability to upload/download executables
  • Bypassing pricing/paid feature restrictions
  • 0-day vulnerabilities in any third parties we use within 10 days of their disclosure
  • Any other issues determined to be of low or negligible security impact
  • Issues that do not affect the latest version of applications, modern browsers, or platforms
  • Vulnerabilities that resulted from implementation that does not follow our deployment guidelines
  • Our intended features or accepted risks (including but not limited to the following) are not vulnerabilities and are thus excluded from our program
  • Applications running as SYSTEM user
  • Features to execute queries, scripts, or workflows by privileged users
  • Security concerns applicable only with rooted/jailbroken devices

Response

Our response time to submitted reports may take up to two weeks. We prioritize reports at our discretion based on the severity of the vulnerability submitted and resolve the vulnerability accordingly. Our team will notify you once the vulnerability is resolved and you may confirm whether the remedy resolves the vulnerability. If there is more than one submission for the same vulnerability from different parties, bounty will be paid to the first submission. Public disclosure of any vulnerability is only permitted with explicit written permission from the company. Any premature public disclosure, or any suspicion thereof, will be considered a breach of this policy and may result in the immediate termination of our collaboration.

Rewards

We offer rewards ranging from $50 to $1000 based on the severity of the vulnerabilities discovered.

Unique Vulnerability Report Format

All vulnerability submissions must follow our unique report format, which is outlined below:

  • Vulnerability Title: Provide a concise and descriptive title for the issue.
  • Detailed Description: Offer an in-depth explanation of the vulnerability.
  • Reproduction Steps: List the step-by-step process to reproduce the vulnerability, including prerequisites and any specific configurations or conditions required. Please note: For vulnerabilities that mention a potential attack vector such as MiTM (Man in the Middle), please include a Proof of Concept with detailed reproduction steps. Failure to provide these details will result in such attack vectors being evaluated as 0 or low priority.
  • Affected Assets: Specify the URLs, components, APIs, or services that are impacted by the vulnerability.
  • Tools Used for Vulnerability Testing: Detail the tools or methods you used to identify or verify the vulnerability.
  • Supplementary Information: Include any additional context, such as the discovery environment, date/time of detection, or other relevant details to assist in resolving the issue.
We look forward to your detailed submission and appreciate your commitment to enhancing our security.
Submit a request