Security has the highest priority at AppFollow and we’re continuously working to provide secure products. AppFollow Bug Bounty Program offers cash rewards to encourage security researchers to inform us about bugs or vulnerabilities, so that we can fix them long before any damage is done.

Your participation in our program is voluntary and subject to the below terms and conditions:

• You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
• Please be ready to provide mandatory Video Proof of Concept of your findings, we have a lot of copy paste requests, which are not valid.
• By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without AppFollow prior written approval.
• Your testing must not violate any applicable laws or regulations.
• You are not our paid customer.
• You provide real bug report, not result of automatic scanner on public website for checking headers
• By reporting a bug, you agree to share with AppFollow the personal information, that we can perform compliance checks.
• Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion, and we may cancel or modify the program at any time.
• Rewards are paid out only via payoneer.com or transferwise.com, so you will need a account there. (no btc, paypal or bank transfers)
• Only the first, responsibly-disclosed submission of a vulnerability instance will be marked as valid, any subsequent reports will not be eligible for our program.
• You must be 18 years of age or older.

Furthermore, AppFollow does not consider the following to be eligible vulnerabilities:

• Denial of service
• Using automated vulnerability scanners
• Brute-force or Reports of spam
• Race conditions or product limitations
• Password policy issues (length, complexity, history)
• Self-XSS, Self-exploitation (like token reuse and console scripting)
• XSRF or clickjacking with no practical use to attackers
• Email SPF, DKIM, and DMARC records
• Signup without Email confirmation and verification methods.
• Lack of Captcha.
• Missing HttpOnly/Secure cookie flags
• Missing headers (Referrer-Policy, etc), DNS related issues
• SSL/TLS best practices
• Content/text spoofing
• Hyperlink injection in emails
• Autocomplete enabled - Unless leading to sensitive data leakage
• Debug Pages - Missing or overly verbose error pages without sensitive data
• Getting access to third-party services
• Version disclosure - Stack banners, server headers, CORS, or error messages showing version
• Best Practice Disclosures - Missing security headers (CSP, HSTS) that do not directly lead to exploitation.
• Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, logout, etc.)
• Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing security headers, race conditions, etc.)
• Account/E-mail enumeration
• Best practice reports without a valid exploit

Valid reports for assets in the following domains are eligible for reward:

• appfollow.io
• api.appfollow.io
• watch.appfollow.io

Please send the report to security@appfollow.io with the subject line "Vulnerability Disclosure".
Detailed and quality reporting is important to us. You must include a working Video Proof of Concept.

Please be patient — we will provide updates when available. There is no need to request daily status updates
Any harmful, abusive, or rude behavior toward our team will be considered a violation of this program and may result in disqualification.

We are a small company with a limited bug bounty program; responses are typically provided within 1–5 days after submission.
We aim to continue supporting researchers and running this program, and we kindly ask that you respect our decisions. 🤝