️ INVITE-ONLY · BETA
SEcMS Bug Bounty Program
Report security vulnerabilities responsibly. Get rewarded.
Reward Tiers
| Severity | Examples | Reward Range | Response SLA |
|---|
| Critical | RCE, Auth bypass, mass PII leak | $2,000 – $10,000 | 24h |
| High | Stored XSS, SQLi, privilege escalation | $500 – $2,000 | 48h |
| Medium | Reflected XSS, CSRF in sensitive flow, info disclosure | $100 – $500 | 7d |
| Low | Self-XSS, missing security headers, theoretical issues | Hall of Fame + swag | 30d |
Scope
In-Scope
secms.tech + all subdomains*.secms.pages.dev production deploys/api/* endpoints- Webhook delivery + HMAC signing
- Authentication / authorization / session
- D1 / R2 data isolation
@secms/sdk npm package
Out-of-Scope
- Social engineering of we are Corp. employees
- Physical attacks on infrastructure (Cloudflare-managed)
- DoS/DDoS (bandwidth-based)
- Best-practice issues without demonstrable impact (e.g., missing CSP nonce)
- Self-XSS without account takeover
- Vulnerabilities in 3rd-party services (Firebase, Stripe, PortOne)
- Already-known issues (check changelog first)
Rules of Engagement
- DO: Test against your own account / sandbox endpoints (
/api/sandbox)
- DO: Report immediately upon discovery (don't sit on findings)
- DO: Provide reproduction steps + impact assessment
- DON'T: Access other users' data
- DON'T: Modify or destroy data
- DON'T: Publicly disclose before patch
- DON'T: Run automated scans without written permission (rate-limited)
How to Report
Email: [email protected]
PGP Key: coming soon — currently TLS-only acceptable
Required info:
- Vulnerability title + severity self-assessment
- Affected endpoint / component (URL + method)
- Reproduction steps (numbered)
- Proof-of-concept (curl command, screenshot, video)
- Impact analysis (what an attacker can achieve)
- Suggested mitigation (optional)
- Your name / handle for Hall of Fame (optional)
Disclosure Timeline
| Day | Action |
|---|
| T+0 | Researcher submits report |
| T+1d | Acknowledgement (Critical/High) |
| T+7d | Triage decision + reward indication |
| T+30d | Patch deployed (Critical/High) |
| T+90d | Public disclosure (coordinated) |
Hall of Fame
Researchers who responsibly disclosed vulnerabilities will be listed here (with consent).
Hall of Fame is empty (Beta program just launched 2026-05-05).
Be the first
Legal Safe Harbor
We will not pursue civil or criminal action against researchers who:
- Comply with this policy
- Make good-faith effort to avoid privacy violations / data destruction
- Stop testing immediately upon discovering an issue
- Report findings only to
[email protected]
Last updated: 2026-05-05 · Maintained by we are Corp. Security Team
Questions? [email protected]