We are setting up a reward program for security researchers who believe they have found vulnerabilities in our security defenses – the Bug Bounty Programme.
The security of our client’s systems and data is of paramount importance to us at HostSailor. We continually strive to have the strongest and most up to date security hardware and software in place and continuously monitor for any possible security threats and breaches.
We also know that we do not have a monopoly on wisdom and recognize the value external security researchers can bring to HostSailor systems’ security. That is the reason for using specialist skills and expertise in the Bug Bounty Programme,
As always, there are some terms and conditions associated with the Bug Bounty Programme. Please read and understand them before signing up.
- A Disclosure policy – what you must and must not do when finding and reporting a potential security issue
- Safe Harbour – protection for you against the consequences of unintentionally breaching any data protection laws.
We will introduce new or drop existing provisions as we develop the program.
To participate in the program, you must agree that:
- You make an effort in good faith to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data and interruption or degradation of our services.
- You must not intentionally violate any applicable laws or regulations, including, but not limited to, any applicable laws and regulations local to us and in your jurisdiction, prohibiting unauthorized access to data.
- You must not exploit a security issue you discover for any reason other than for testing purposes, and you do not conduct testing outside of your account, a test account, or another account for which you have the explicit written consent of the account owner to test.
- You give us reasonable time to investigate and mitigate an issue you report before publicly disclosing any information about the report or sharing such information with others
These terms provide you authorization, including under the Computer Fraud and Abuse Act (CFAA).
These terms do not provide you authorization to intentionally access company data or data from another person’s account without their express consent, including (but not limited to)
personally identifiable information or data relating to an identified or
identifiable natural person.
HostSailor will determine, at its sole discretion, if you have complied in all respects with our standard terms and conditions of business and the Bug Bounty Program Terms in reporting a security issue to HostSailor.
If you have submitted a bona fide report, we will not initiate a complaint to law enforcement or pursue a civil action against you, including civil action, under the CFAA in connection with the research underlying your report. That includes any potential DMCA claims against you for circumventing our technological measures.
HostSailor will also not pursue legal action for or against you regarding acts that are accidental or carried out in good faith but violate our policies of the terms of the Bug Bounty program.
If you are in any doubt about any action, please don’t hesitate to contact us.
- Our Website.
We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at HostSailor’s discretion, based on risk, impact, and other factors. To be considered for a reward, you must meet the following requirements:
- Adhere to our Responsible Research and Disclosure Policy and Safe Harbor Provisions (see elsewhere in this document).
- Report a security bug: identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that HostSailor ultimately determines the risk level of an issue and recognizes that many software bugs are not security issues.)
- Report the vulnerability upon discovery or as soon as is feasible to [email protected].
- Contact us for clarification by submitting a new submission with your question before engaging in any action which may be inconsistent with or unaddressed by these terms of service.
- We will follow these guidelines when evaluating reports under our bug bounty program:
- We investigate and respond to all valid reports. We receive a high volume of reports, and we prioritize evaluations based on risk and other factors. It may take some time before you receive a reply.
- We determine bounty amounts based on various factors, including (but not limited to) impact, ease of exploitation, and quality of the report.
- Note that extremely low-risk issues may not qualify for a bounty at all. Even if the issue you identify is low-risk in isolation, if your report leads us to discover higher-risk vulnerabilities, we may, at our sole discretion, pay an increased award.
- In the event of duplicate reports, we will award a bounty to the first person to submit an issue. (HostSailor determines duplicates at its sole discretion and is not obligated to share details on prior similar reports.)
- A given bounty is typically only paid to one individual. However, a subsequent report on an evaluated issue may reveal that a vulnerability remains or is more severe than initially judged. In that case, we may pay a reward for the subsequent report and evaluate whether we should make an additional reward for the initial entry.
- We reserve the right to publish reports (and accompanying updates).
We publish a list of researchers who have submitted valid security reports. You must receive a bounty to be eligible for this list, but your participation on the list is optional. We reserve the right to limit or modify the information accompanying your name in the list.