Bounty Program Outline

Scope

Focus on vulnerabilities related to:

  1. Payments fraud
  2. Loyalty program abuse
  3. User credentials abuse
  4. Personally identifiable information exposure or abuse

 

Eligibility

  • Open by invitation or to security researchers who proactively reach out

 

Severity Levels and Examples

Critical

  • Vulnerabilities that can lead to significant financial loss, large-scale data breach, or complete system compromise.
  • Examples:
    1. Remote code execution in the POS system allows unauthorized access to payment data.
    2. SQL injection vulnerability exposes the entire customer database including payment information.

 

High

  • Vulnerabilities that can lead to partial system compromise, moderate financial loss, or unauthorized access to sensitive data.
  • Examples:
    1. Authentication bypass in the ordering system allowing unauthorized order placement or modification.
    2. Vulnerability allowing manipulation of loyalty points balances across multiple accounts.

 

Medium

  • Vulnerabilities that may lead to limited unauthorized access or moderate impact on system integrity.
  • Examples:
    1. Cross-site scripting (XSS) vulnerability in the customer-facing ordering interface.
    2. Insecure direct object reference allowing access to other users’ non-sensitive order details.

 

Low

  • Vulnerabilities with minimal impact on system security or user data.
  • Examples:
    1. Information disclosure of non-sensitive system information (e.g., software versions).
    2. Clickjacking vulnerability on non-critical pages.

 

Reward Structure

Tiered based on severity:

  1. Critical: £3000
  2. High: £1000
  3. Med: £500
  4. Low: £100

 

Submission Process

  1. Researcher contacts the company through the designated email: security@vitamojo.com
  2. Company acknowledges receipt within 3 business days
  3. The security team evaluates the reported vulnerability
  4. If valid, determine the severity and corresponding reward
  5. Communicate decision to the researcher

 

Response Timeline

  • Initial response: Within 3 business days
  • Vulnerability triage: Within 10 business days
  • Resolution timeline: Communicated after triage, based on severity

 

Rules of Engagement

  • No testing on production systems
  • No automated scanning tools
  • Do not attempt to access or modify customer data
  • Report vulnerabilities promptly and directly to the company
  • Maintain confidentiality until the vulnerability is resolved
  • We hold harmless good-faith security research from legal action, within the defined scope and rules included on the webpage. If the guidance is not adhered to, we reserve the right to pursue legal action