Blackphone Bug Bounty

[Angelina]

submit bug report: http://blackphone.ch

Program Rules
Maintaining top-notch security is a group effort and Blackphone encourages independent security researchers to help us spot potential issues. To recognize such efforts and the important role they play in keeping the Blackphone ecosystem safe we offer a bounty for reporting qualifying security vulnerabilities. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
Rewards
Blackphone may provide rewards to eligible reporters of qualifying vulnerabilities. The standard reward is $128.00 USD. Reward amounts may vary depending upon the severity of the vulnerability reported. Blackphone will determine, in its discretion, whether a reward should be granted and the amount of the reward.
Eligibility and Responsible Disclosure
We are pleased to thank every researcher who submits valid reports that help us improve the security of the Blackphone. However, only those that meet the following eligibility requirements may receive a reward:
You must be the first reporter of a vulnerability;
The vulnerability must be a qualifying vulnerability (see Scope);
We can’t be legally prohibited from rewarding you;
You may not publicly disclose the vulnerability prior to our resolution;
Not be employed by Blackphone or its subsidiaries or related entities.
The Fine Print
As a condition of participation in this program, you hereby grant Blackphone, its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Blackphone in connection therewith, for any purpose. You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Blackphone and any other party. You are also responsible for any applicable taxes associated with any reward you receive. We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.
Eligible targets
PrivatOS (plus available updates & integrated applications)
Associated web portals
*.Blackphone update servers
Ineligible
Descriptive error messages (e.g. Stack Traces, application or server errors).
Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
Self-XSS and issues exploitable only through Self-XSS.
CSRF on forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password'
This bounty requires explicit permission to disclose the results of a submission.
Policy: https://bugcrowd.com/blackphone