Security has the highest priority at AppFollow and we’re continuously working to provide secure products. AppFollow Bug Bounty Program offers cash rewards to encourage security researchers to inform us about bugs or vulnerabilities, so that we can fix them long before any damage is done.

Your participation in our program is voluntary and subject to the below terms and conditions:

• You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
• Please be ready to provide video POC of your findings, we have a lot of copy paste requests, which are not valid.
• By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without AppFollow prior written approval.
• Your testing must not violate any applicable laws or regulations.
• You are not our paid customer.
• You provide real bug report, not result of automatic scanner on public website for checking headers
• By reporting a bug, you agree to share with AppFollow the personal information, that we can perform compliance checks.
• Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion, and we may cancel or modify the program at any time.
• Rewards are paid out only via payoneer.com or transferwise.com, so you will need a account there. (no btc, paypal or bank transfers)
• Only the first, responsibly-disclosed submission of a vulnerability instance will be marked as valid, any subsequent reports will not be eligible for our program.
• You must be 18 years of age or older.

Furthermore, AppFollow does not consider the following to be eligible vulnerabilities:

• Denial of service
• Using automated vulnerability scanners
• Brute-force or Reports of spam
• Self-XSS, Self-exploitation (like token reuse and console scripting)
• XSRF or clickjacking with no practical use to attackers
• Email SPF, DKIM, and DMARC records
• Signup without Email confirmation and verification methods.
• Lack of Captcha.
• Open CORS headers
• Missing HttpOnly/Secure cookie flags
• Missing headers (Referrer-Policy, etc), DNS related issues
• SSL/TLS best practices
• Content/text spoofing
• Hyperlink injection in emails
• Getting access to third-party services
• Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, logout, etc.)
• Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing security haders, etc.)
• Account/E-mail enumeration
• Best practice reports without a valid exploit

Valid reports for assets in the following domains are eligible for reward:

• appfollow.io
• api.appfollow.io
• watch.appfollow.io

Please send the report to security@appfollow.io with the subject line "Vulnerability Disclosure".
Detailed and quality reporting is important to us. You must include a working Proof of Concept.

Please be patient, you will receive updates when, and if, there will be anything to share.
We are small company with limited bug bounty program.