Skip to main content
Reporting a vulnerability

Information on how to report vulnerabilities in the Rehive ecosystem.

Joshua van Besouw avatar
Written by Joshua van Besouw
Updated over 3 months ago

Rehive does not currently have a public bug bounty program. However if you find a security vulnerability on the Rehive APIs, open source software, libraries, web applications, or website please let us know right away.

Responsible Disclosure Policy

If you give us reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you. We are willing to provide you recognition for your efforts, but you can remain anonymous at your discretion.

How to submit a report

Please send us a report via intercom. Or alternatively you can send a report to support@rehive.com.

Provide detailed steps in your report explaining how to reproduce the security vulnerability. This should include any links you clicked on, pages you visited, URLs, user IDs, etc. Provide clear descriptions of any accounts used in your report and the relationships between them.

Please note that our developer team evaluates reports on a weekly basis. As a result, depending on the backlog and the content of your report, you may have to wait several weeks before you receive a response.

Bug bounty

At our discretion, we may reward you a sum via Paypal. However, the scale of the vulnerability and the resulting bounty will be evaluated against our attributes of a helpful vulnerability listed below.

Attributes of a helpful vulnerability:

  • You’re the first person to responsibly disclose the security vulnerability.

  • While investigating vulnerabilities, you made every attempt to use a test account instead of a real account.

  • While investigating vulnerabilities you did not cause any service disruption for Rehive customers.

  • While investigating vulnerabilities, you had no interaction with other accounts without the consent of their owners.

  • The reported vulnerability could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure, such as:

    • Cross-Site Scripting (XSS)

    • Cross-Site Request Forgery (CSRF/XSR)

    • Broken Authentication or authorization

    • Circumvention of our Platform/Privacy permission models

    • Remote Code Execution

    • Privilege Escalation

    • Provisioning Errors

Please note that we do not award bounties for minor misconfiguration or low-impact vulnerabilities that can be easily detected via readily available automated security scanners.

Did this answer your question?