Bug bounty program

The Flipdish bug bounty program awards discovery and notification of vulnerabilities that cause

  • allow unauthorised reading of personal information (in the GDPR sense) on multiple accounts.
  • allow unauthorised changing of data that is either publicly accessible or that would affect availability of our services.

To be eligible, the submitter must both demonstrate the vulnerability in action and explain how to reproduce the issue. It is not sufficient to simply state that a vulnerability exists without demonstrating it in action.

It is not sufficient to demonstrate it in action in a personal environment or solely using your own account information. For example, you would need to show access to a 3rd party’s data, not to your own data.

To be eligible the following must also be true:

  • The vulnerability must not be a known issue.
  • The submitter must not have another open bounty request (please submit one at a time).

Vulnerability based on overloading our systems (eg. ddos attacks) are not eligible for the bug bounty program.

Vulnerabilities that require access to client devices that are outside of our control are not eligible. For example, accessing local data stored on a client's Android device is
not eligible.

Examples of eligible vulnerabilities:

Demonstrating updating the menu data for 5 clients.

Reason: shows unauthorized changing of data that would affect the availability of our services.

Examples of ineligible vulnerabilities:

Reporting a clickjacking vulnerability that potentially could be used to manipulate internal account data.

Reason: does not demonstrate unauthorized reading of personal data and does not demonstrate unauthorized changing of data that is either publicly accessible or that would affect the availability of our services.

Reporting that a weak cypher is used to encrypt data.

Reason: does not demonstrate unauthorized reading of personal data and does not demonstrate unauthorized changing of data that is either publicly accessible or that would affect the availability of our services. To be eligible the submitter would need to demonstrate decryption and access to personal data on multiple accounts.

Reward

The reward for each eligible submission is €1000 including all relevant taxes and bank fees. An invoice must be provided to receive payment.

How to submit

Please email [email protected] with your submission.