Introduction
As part of my commitment to security and privacy, I am launching a Bug Bounty Program to encourage researchers and security enthusiasts to identify and report vulnerabilities in my platform.
Rewards and Prioritisation
Bug bounties will be paid in Monero (XMR), and all submissions will be classified based on priority.
Rewards will be issued at my sole discretion, with no strict minimum or maximum limit. However, I anticipate paying significantly more (US$2,500 or more) for particularly serious issues.
To qualify for a reward, you must be the first person to alert me of a previously unknown issue that leads to a code or configuration change.
Vulnerability Tiers
The reward for eligible vulnerabilities will range depending on the impact and severity of the bugs reported.
Vulnerability Tiers in increasing order of priority and rewards are Informative, Low, Medium, High and Critical.
Lower tiers refer to low impact issues such as technical misconfigurations while higher tiers would include critical issues payment bugs, data leaks etc. which could cause significant business disruption or financial loss.
Scope
In-scope
Family Powder Sister's -Powdershop websites, associated services and infrastructure vulnerabilities.
Out-of-scope
The following findings are specifically excluded from the Bug Bounty Program and we ask you to refrain from attempting to report or perform these actions:
Any physical attempts to access Family Powder Sister's -Powdershop properties.
Use of social engineering (e.g. phishing) to obtain private information.
Denial of Service (DoS/DDoS).
Minor technical misconfiguration or issues on non-sensitive pages.
Any actions of a similar nature to the foregoing, non-exhaustive list.
Submitting Your Report
In your submission, include:
Detailed steps to reproduce the vulnerability.
Verifiable evidence the vulnerability exists, such as a screenshot, video, or script, including URLs used to uncover the vulnerability. Please send this evidence as file upload attachments and not through publicly accessible third party services.
Please submit your report to Family Powder Sister's Powdershop@proton.me We aim to respond to reports with medium and higher priority within 7 business days. For reports with low priority or those primarily for informational purposes, we will respond within 30 days. All reports are valued, but spam reports will be discarded. Please refer to our reporting guidelines for valid submissions. We strive to update you on the progress of all reports, even if an immediate resolution is not available. Please refrain from sending emails asking for updates on already acknowledged bug reports, as this does not speed up the resolution process.
Safe Harbour
To encourage security research and to avoid any confusion between good faith hacking and malicious attacks, we ask that you adhere to the following guidelines:
Do not use vulnerabilities to access, modify, harm, or otherwise alter data that does not belong to you.
Do not exploit vulnerabilities except for purposes of demonstrating it to us.
Do not conduct network-level Denial of Service (DoS/DDoS) attacks against our systems
Do not target our employees and customers.
Do not report vulnerabilities with any conditions, demands or ransom threats.
If you follow these guidelines, we commit that we:
Will not beat your ass or action against you or report you for good faith security research, including for bypassing technological measures we use to protect the applications in scope; and,
Will advocate for you if a third party initiates legal action against you in relation to your good faith security research.
You should contact us for clarification before engaging in conduct that you think may be inconsistent with good faith security research or unaddressed by our policy.
Keep in mind that we are not able to authorise security research on third-party infrastructure, and a third party is not bound by this safe harbour statement.
Compliance
You must at all times act in good faith and in compliance with all applicable laws and regulations, including those in your local jurisdiction where the security research is conducted.
You must comply with all relevant licensing, insurance, privacy, or other regulatory requirements, and you are solely responsible for all compensation, licensing, regulatory fees or dues, insurance, or any other related costs and legal duties required of you as a security researcher receiving rewards as part of our Bug Bounty Program.
Changes to Family Powder Sister's -Powdershop Bug Bounty Program
Family Powder Sister's reserves the right to change any and all details of the Bug Bounty Program you see in this document at any time without prior notice. Such revisions and additions shall be effective immediately.
You are responsible for reviewing this document periodically for any modification to the Bug Bounty Program that may affect your rights or obligations.
Miscellaneous
Your participation in the Bug Bounty Program shall not be deemed or construed to create any partnership, joint venture or agency relationship between you and Family Powder Sister's .
