mobile menu

Security Bug Bounty Program

Our program for cooperating with independent security researchers looking to help us keep our product secure.

Last Modified: February 12, 2016

Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Programs by Google, Facebook, Mozilla, Github, and others have helped to create a strong bug-hunting community.

Here at BrickFTP, we celebrate security and we encourage independent security researchers to help us keep our products secure. We offer a Security Bug Bounty Program (the "Program") to create an incentive and reward structure so that researchers are able to devote resources to working on BrickFTP.

We will pay $100 to $1,000, at our discretion, to any researcher who discovers a significant security vulnerability in BrickFTP. We pay quickly and fairly, every time, as long as you follow our rules.

If you've found a vulnerability or would like to perform security research against BrickFTP, please read through the rules below.

Reports We Are Looking For

We want to know about anything about our platform that poses a significant security vulnerability to either us or our customers.

These can include:

Bug Bounty Program Requirements

Reports That Do Not Qualify

The following types of reports do not qualify and will not pay a bounty.

Commonly False Positive Reports

Reporting any of the above false positives shall result in your being blacklisted from the Program.

Program History

We have paid out over $4,000 in bounties to 14 unique reporters under this program.

Bounty Recipients (outside of Hackerone):

Additionally, we maintain a separate Thank You page on Hackerone for folks who submitted vulnerabilities through that platform.

Thank you to all of you for your participation.

Important Terms

We aim to pay bounties as quickly as possible and will pay bounties sometimes before the issue is patched. Therefore, we require that you do not disclose any vulnerability publicly, either before or after the bounty is paid.

If paid a bounty, you may disclose that you received a bounty, but you may not disclose the amount or any information related to the type of vulnerability you found. Under no other circumstances may you disclose anything about your participation in this program.

You are still bound by the Terms of Service you agreed to upon signup for your Trial account. Please read and understand this document as it affects your rights.

BrickFTP's program is independent of any aggregation sites or other programs that may exist. Our rules and submission process are described only in this document and will likely deviate from other programs that you may also work with.

To Report a Vulnerability

To report a vulnerability, first re-read this entire page to be sure that you understand the terms. A single violation of the terms set forth on this page will lead to an immediate revocation of your access to the Bug Bounty program and we will not pay any bounties to anyone who has violated any of the terms on this page.

To report a vulnerability, email [email protected] and include the following 5 things:

Submissions lacking any of the required elements above will not be eligible for the Program, however, we will obviously evaluate them anyway and we reserve the right to act on their recommendations without notice to the submitter.

If your submission is in compliance with our rules, we will respond as quickly as possible to your submission.

If you do not receive a response within 48 hours and you are absolutely certain that you are in 100% compliance with these rules, please write to us again to check on the status of your submission.

Hackerone Program

BrickFTP also runs a parallel version of the Security Bug Bounty program on Hackerone to encourage more participation in the program. Right now the Hackerone program is Invite-only, but upon launch you will be able to find it here.

Should you prefer to participate in the Hackerone version of our program, please write to us at [email protected] with your Hackerone username and we will send you an invitation.