HostSailor’s Bug Bounty Program

Disclosure Policy

Here’s what’s expected if you want to join the program:

• Respect privacy and act responsibly. Avoid tampering with others' data or causing disruptions. This includes refraining from unauthorized access, data destruction, or interfering with our services.
• Adhere to all applicable laws and regulations. This means avoiding any activities that violate local or international laws, especially those related to unauthorized access to information.
• Use security discoveries only for testing purposes. Don’t exploit vulnerabilities, and ensure you’re testing only within your account, a test account, or an account where you have explicit written consent from the owner.
• Allow us time to address reported issues before sharing any information. We need a reasonable window to investigate and resolve the problem before it’s disclosed publicly or shared with others.

Safe Harbor

These terms give you permission to act within the bounds of the Computer Fraud and Abuse Act (CFAA).

However, they don’t authorize you to intentionally access company data or someone else’s account without their clear consent. This includes personal information or anything that identifies an individual.

At HostSailor, we’ll decide if your actions align with our standard business terms and Bug Bounty Program rules when you report a security issue. If your report is legitimate and submitted in good faith, we won’t file a complaint with law enforcement or take legal action against you—this includes any claims under the CFAA or the DMCA for bypassing our security measures.

We also won’t go after you legally for accidental or good-faith actions that might breach our Bug Bounty policies.

If you’re ever unsure about something, just reach out to us—we’re here to help.

Reward Guidelines

We value the hard work of security researchers who help us keep our services safe by identifying and reporting vulnerabilities. If you find a security issue in our systems, we want to hear about it—and we may even reward you for it. Rewards, including monetary bounties, are entirely up to us and depend on factors like risk level, impact, and the quality of your report.

What We Expect from You

To qualify for a reward, here’s what you need to do:

• Follow the rules and stick to our Responsible Research and Disclosure Policy and Safe Harbor Provisions.
• Report real security risks; we’re looking for vulnerabilities in our systems that could put security or privacy at risk. Not every bug is a security issue, and we determine the risk level ourselves.
• Let us know about the issue as soon as you discover it. Send your report to [email protected].
• If you’re unsure about something or think you might break the rules, reach out to us for clarification by submitting a separate report.

What We Expect from You

When you submit a report, here’s how we handle it:

• We investigate all valid reports carefully, but since we get a lot of them, it might take some time. We prioritize based on the risk and other factors.
• Bounty amounts depend on things like the severity of the issue, how easy it is to exploit, and the overall quality of your report. Minor issues may not qualify for a reward, but if your report helps us find something more serious, we might increase the bounty.
• If multiple people report the same issue, the first person gets the reward. We decide what counts as a duplicate and won’t share details about previous reports; first come, first rewarded.
• Usually, only one person gets paid for a vulnerability. But if a follow-up report shows the problem is worse than we thought, we may reward both the original and subsequent reporter.
• We keep a list of researchers who’ve submitted valid reports. You’ll need to earn a bounty to join the list, and being on it is entirely optional.
• We also reserve the right to publish reports or updates, so your work could be part of something bigger.

We’re here to collaborate with researchers who share our commitment to security. If you’ve found something, don’t hesitate to reach out.