Security

Last updated: June 6, 2021

Security has the highest priority at AppFollow and we’re continuously working to provide secure products. AppFollow Bug Bounty Program offers cash rewards to encourage security researchers to inform us about bugs or vulnerabilities, so that we can fix them long before any damage is done.









Program Terms and Conditions

Your participation in our program is voluntary and subject to the below terms and conditions:

  • You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
  • By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without AppFollow prior written approval.
  • Your testing must not violate any applicable laws or regulations.
  • You are not our paid customer.
  • By reporting a bug, you agree to share with AppFollow the personal information, that we can perform compliance checks.
  • Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion, and we may cancel or modify the program at any time.
  • Rewards are paid out only via payoneer.com or transferwise.com, so you will need a account there. (no btc, paypal or bank trasfers)
  • Only the first, responsibly-disclosed submission of a vulnerability instance will be marked as valid, any subsequent reports will not be eligible for our program.
  • You must be 18 years of age or older.

Not eligible vulnerabilities

Furthermore, AppFollow does not consider the following to be eligible vulnerabilities:

  • Denial of service
  • Using automated vulnerability scanners
  • Brute-force or Reports of spam
  • Self-XSS, Self-exploitation (like token reuse and console scripting)
  • XSRF or clickjacking with no practical use to attackers
  • Email SPF, DKIM, and DMARC records
  • Open CORS headers
  • Missing HttpOnly/Secure cookie flags
  • Content/text spoofing
  • Getting access to third-party services
  • Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, etc.)
  • Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)
  • Account/E-mail enumeration
  • Best practice reports without a valid exploit

Scope

Valid reports for assets in the following domains are eligible for reward:

  • appfollow.io
  • api.appfollow.io
  • watch.appfollow.io

Report

Please send the report to security@appfollow.io with the subject line "Vulnerability Disclosure".
Detailed and quality reporting is important to us. You must include a working Proof of Concept.

React to user feedback and market trends faster