Bug Bounty Program


“- Fed Net Announcer. Every day, Federal scientists are looking for new ways to kill bugs”

Security is the core of our values, and we value the input of security researchers to help us maintain a high standard of security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

“The only good bug is a dead bug.” 🐞

Expectations

When working with us according to this policy, you can expect us to:

  • Work with you to understand and validate your report, including a timely initial response to the submission;
  • Work to remediate discovered vulnerabilities promptly; and
  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

Scope

The following is the list of platforms that are within this scope of the program.

Out of Scope

The following is the list of exploits/flaws that are ineligible for this program.

  • Security bugs that do not affect our default applications configuration
  • Security bugs that do not affect our dockerized containers
  • Timing attacks that reveal information
  • Methods to reveal information about other running processes
  • Denial of service attacks or other volume-based attacks
  • Phishing attacks
  • Usage of large-scale vulnerability scanners, scrapers, or automated tools that produce excessive amounts of traffic
  • Machi-Systems Clients’ Servers

Rewards

Machi-Systems Website, Hub, and Applications

Category PayPal Credit Server Credit
XXS $ 150 $ 300
XXS (Bypassing CSP) $ 1000 $ 1,500
CSRF $ 300 $ 600
Authentication Bypass $ 1,500 $ 3,300
SQL Injection $10,000 $ 10,000
Arbitrary code execution $ 4,000 $ 6,000
Arbitrary code execution (with privilege escalation) $ 15,000 $ 30,000
Persistent code change $ 10,000 $ 20,000

Machi-Systems Servers

Category Paypal Credit Service Credit
Authentication Bypass (SSH, FTP, VPN, etc.) $ 500 $ 1,000
Authentication Bypass of Supported Apps $ 250 $ 500
Local privilege escalation $ 1,000 $ 2,500

The List of the Researchers who report valid vulnerabilities and exploits will be displayed in our Hall of Fame to extend our gratitude towards them.

Receiving Your Award

  • The awards are categorized under two credit categories; you can opt for the following:
    • PayPal Credit
    • Service Credit
  • To receive PayPal Credit, you must have a valid PayPal account.
  • If you opt for service credit, it is not transferable and only be used with Machi-Systems services.

Ground Rules

  • Check the Changelog channel in our Discord server or Changelog doc page for any recently launched updates/features;
  • Play by the rules. This includes following this policy, the Machi-Systems Terms of Service any other relevant agreements;
  • Report any vulnerability you’ve discovered promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Only use the Machi-Systems Ticket System to contact us with technical details of discovered vulnerabilities;
  • Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy;
  • Perform testing only on in-scope systems, and respect systems and activities that are out-of-scope;
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), or proprietary information. You may also request an isolated server for you to further demonstrate your proof of concept;
  • Only interact with test accounts you own; and
  • Do not engage in extortion.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:

  • Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our policies that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If a third-party initiated legal action against you and complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through the Machi-Systems Ticket System before going any further.

Disclosure Policy

If you believe you have discovered a vulnerability, please create a ticket through the Mach-Systems Ticket System.

Machi Bug Bounty Hall of Fame

We thought we were smarter than the Bugs.

“Every time we killed a thousand Bugs at a cost of one M.I. it was a net victory for the Bugs. We were learning, expensively, just how efficient a total communism can be when used by a people actually adapted to it by evolution; the Bug commisars didn’t care any more about expending soldiers than we cared about expending ammo. Perhaps we could have figured this out about the Bugs… …the trouble with ‘lessons from history’ is that we usually read them best after falling flat on our chins.” ― Robert A. Heinlein, Starship Troopers

We hope you’ve found this doc useful. Is anything missing? If so, email us at contact@machi-systems.com and we’ll get it sorted for you.

 


Creating for good cause? ✨If you are building or creating something that works towards solving mental health, wellbeing or environmental issues, then you can get access to Machi-Systems services at a reduced rate. Please get in touch for more information.

 


Questions? Send us a note and we’ll get right back to you.

Was this article helpful?
YesNo