Pipeboard Bug Bounty Program

We value security researchers and reward those who help us improve our security posture.

💰 Reward Range: $20 - $150 USD (via PayPal)

Program Scope

✅ In Scope

• Authentication and authorization issues
• Information disclosure vulnerabilities
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• SQL Injection
• Server-Side Request Forgery (SSRF)
• Authentication bypass
• Session management issues
• Business logic flaws with security impact

❌ Out of Scope

• Social engineering attacks
• Physical attacks
• Denial of Service (DoS/DDoS)
• Issues in third-party services
• Self-XSS without demonstrable impact
• Issues requiring physical device access
• Reports from automated tools without validation
• Theoretical vulnerabilities without proof of concept
• Infrastructure issues (DNS, missing headers, etc.)

How to Report

Send security reports to: privacy@pipeboard.co

Required Information

Clear Description: What is the vulnerability?
Location: Where is it (URL, endpoint, feature)?
Steps to Reproduce: Detailed reproduction steps
Impact: What can an attacker do with this?
Suggested Fix: Optional but appreciated
Screenshots/Evidence: If applicable

Reward Assessment

Critical - $150

• Remote Code Execution (RCE)
• SQL Injection allowing data extraction
• Authentication bypass affecting all users
• Direct access to sensitive user data
• Account takeover vulnerabilities

Example: Complete authentication bypass allowing access to any user account

High - $100-$120

• Stored XSS on critical pages
• Privilege escalation
• Payment/billing manipulation
• Sensitive information disclosure at scale
• CSRF on critical actions

Example: Information disclosure vulnerability (October 2025, $100)

Medium - $50-$80

• Reflected XSS requiring user interaction
• Open redirects with security impact
• Information disclosure (limited scope)
• CSRF on non-critical actions
• Business logic flaws with moderate impact

Example: Open redirect that could be used in phishing attacks

Low - $20-$40

• Self-XSS with demonstrated impact
• Information leakage (minimal impact)
• Missing security headers (with exploitability)
• Rate limiting issues
• Minor business logic issues
• Defense-in-depth violations with limited exploitability

Example: Authentication security gap (October 2025, $40)

Assessment Principles

1. Report Quality (20%)

• Clear documentation
• Professional presentation
• Actionable recommendations
• Responsible disclosure

2. Vulnerability Impact (40%)

• User data at risk
• Scale of impact
• Privacy implications
• Business impact

3. Exploitability (30%)

• Ease of exploitation
• Authentication required
• Automation potential
• User interaction needed

4. Fix Complexity (10%)

• Scope of changes
• Testing requirements
• Architectural changes

Response Process

1. Initial Response (Within 48 hours)

Acknowledge receipt, assign tracking number, set expectations

2. Investigation (Within 7 days)

Reproduce vulnerability, assess severity, determine bounty eligibility

3. Fix Implementation

Develop and test fix, document issue and solution, deploy

4. Reward & Disclosure (After fix deployed)

Notify researcher, confirm reward, process payment within 5 business days

Our Commitments

We Promise To:

✓ Respond within 48 hours
✓ Fix legitimate vulnerabilities
✓ Pay rewards fairly
✓ Give credit publicly (if desired)
✓ No legal action for good-faith research
✓ Keep you updated throughout

We Ask That You:

✓ Report privately first
✓ Allow 90 days before disclosure
✓ Don't harm users or access user data
✓ Don't degrade service
✓ Communicate professionally

Not Eligible for Bounty

• Duplicate reports (first reporter gets the bounty)
• Issues already known to us
• Vulnerabilities in outdated dependencies (if already aware)
• Issues requiring user to already be compromised
• Content spoofing without security impact
• Missing best practices without exploitable vulnerability
• Issues in third-party components we don't control
• Infrastructure issues (DNS configuration, missing DMARC/SPF records, server hardening)

Case Studies

Information Disclosure Vulnerability

$100

October 2025

Severity: High - Privacy violation affecting all users

Impact: Could enable targeted attacks against users

Why $100: High exploitability, professional report, substantial fix required, affects all users

Authentication Security Gap

$40

October 2025

Severity: Low - Defense-in-depth violation

Impact: Limited exploitability, narrow time window required

Why $40: Valid security concern but low real-world exploitability

Frequently Asked Questions

Can I test in production?

Yes, but please be careful and minimize impact. Don't access real user data, don't perform actions that affect other users, and stop testing once you've confirmed the vulnerability.

What if someone already reported this?

First valid report gets the bounty. We'll let you know if it's a duplicate.

How long until I get paid?

Within 5 business days after the fix is deployed and we've confirmed your PayPal address.

Can I disclose the vulnerability publicly?

Yes, but please wait until we've fixed it and coordinate timing with us. We typically ask for 90 days.

Can I remain anonymous?

Yes, absolutely. We can process payments and keep your identity confidential if you prefer.

Program Statistics

$175

Bounties Paid

~3 days

Avg Response

~5 days

Avg Fix Time

Active

Program Status

Security Researchers Hall of Fame

We're grateful to the following security researchers who have helped make Pipeboard more secure:

🏆
Kunal Mhaske• October 2025
🏆
Shubham Yarnale• October 2025

Want to join our Hall of Fame? Report a valid security vulnerability and help protect our users!

Ready to Report?

Send your security findings to our dedicated security team

Report Security Issue

Last Updated: March 18, 2026