Rehive does not currently have a public bug bounty program, however if you find a security vulnerability on the Rehive APIs, open source software, libraries, web applications, or website please let us know right away.
Responsible Disclosure Policy
If you give us reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you. We are willing to provide you recognition for your efforts, but you can remain anonymous at your discretion.
How to submit a report
Please send us a report via intercom. Or alternatively you can send a report to firstname.lastname@example.org.
Provide detailed steps in your report explaining how to reproduce the security vulnerability. This should include any links you clicked on, pages you visited, URLs, user IDs, etc. Provide clear descriptions of any accounts used in your report and the relationships between them.
Please note that our developer team evaluates reports on a weekly basis. As a result you will not receive feedback on your report immediately.
At our discretion, we may reward you a sum via Bitcoin or Paypal. However, the scale of the vulnerability and the resulting bounty will be evaluated against our attributes of a helpful vulnerability listed below.
Attributes of a helpful vulnerability:
You’re the first person to responsibly disclose the security vulnerability.
While investigating vulnerabilities, you made every attempt to use a test account instead of a real account.
While investigating vulnerabilities you did not cause any service disruption for Rehive customers.
While investigating vulnerabilities, you had no interaction with other accounts without the consent of their owners.
The reported vulnerability could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure, such as:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF/XSR)
Broken Authentication or authorization
Circumvention of our Platform/Privacy permission models
Remote Code Execution