Bug Bounty

Workers pointing at a computer screen

Wazoku Bug Bounty

What are the Terms & Conditions?

What’s in the scope?

Only the following domains are in scope for this programme:

We will not consider reports concerning testing on any Wazoku software sites other than the those listed above.

Are there an other exceptions?

  • No Denial of Service testing on our website – if you find a vulnerability submit it but do not bring the website down
  • No rate limit testing – we will not offer rewards to reports concerning rate limiting

Where to submit?

What to include?

A good bug report needs to contain enough key information so that we can reliably reproduce the bug ourselves. Our bounty program is designed for software developers and security researchers, so reports should be technically sound. Make sure to include:

  • A detailed bug description
  • The exact URLs and data used to replicate the issue
  • Sample code (if relevant)

What are the next steps?

Once we get your report, a member of our team will respond to you via our submission platform with 2 business days of your report.

What bugs are eligible for bounty?

To claim the bounty, bugs must be original and previously unreported. If two or more people submit the same bug, the bounty will go to the researcher who submitted their report first.

If you disclose the bug publicly before a fix is released or try to exploit it, you won’t be eligible for the bounty.

We are looking for any security-related bugs in our idea management platform & public website. Type of issue (SQL injection, cross-site scripting, buffer overflow, consistent with the NIST National Vulnerabilities Database: https://nvd.nist.gov/vuln/categories)

Some classes of bugs are less likely to be awarded a bounty. This includes existing security configurations that we are already aware of (e.g. CSP Headers, SPF records or lack of DNSSec), as well as core product functionality that works as intended (e.g. sharing content with users outside of the platform). Feel free to report these sorts of issues if you think it is warranted but just don’t expect a bounty.

How much is a bug worth?

Wazoku will pay between £30-£100 for a bug depending on severity.

How do we pay?

Payments are made via wire transfer within 30 days receipt of invoice. Once a decision is made, a member of our Operations team will send an invoice to be completed with payment details. Once the invoice is completed, we will submit for payment and payment will be transferred with 30 days of the invoice start date.