APSIS Bug Bounty Program
APSIS takes security seriously and we encourage security enthusiasts to report any issues with our systems to us, and sometimes offer bounties for issues reported in this manner. This page describes our practice for collecting vulnerability reports from 3rd parties.
If you believe that you have found a security vulnerability on APSIS’ websites or any of our products or systems, please let us know straight away.
How to report a vulnerability
Please email firstname.lastname@example.org with your findings. Put “Vulnerability report” in the subject line, and make sure you include:
- Summary: a short paragraph summarising the vulnerability, where it was found and what it enables you to do
- Technical description: provide technical step by step details to describe to another researcher how to reproduce your discovery.
- Proof of Concept: (optional) if you can include a PoC of a (harmless) demo exploit using the vulnerability that goes a long way to get quick attention
The information you share as part of this process will be kept confidential within APSIS. It will not be shared with third parties without your permission.
Evaluation & Bounty award process
Once your report has been submitted, APSIS will work to validate the reported vulnerability. We may reach out and ask for more information. When the validation is complete, your report will be confirmed and depending on the vulnerability, APSIS may award you a small bounty as a thank you.
Some types of vulnerabilities are not included in our bounty program:
- Spam or social engineering techniques that do not rely on exploiting system vulnerabilities.
- Denial-of-service or brute force attacks.
- Security issues in third-party apps or websites that integrate with APSIS but do not compromise APSIS systems or data further.
- Vulnerabilities that rely on planting back doors or similar mechanisms on employee devices.
Responsible disclosure policy
As long as you comply with our policies for security vulnerability reporting, we will not initiate any legal or law enforcement activity against you in response to your report. We ask that:
- You give APSIS reasonable time to investigate and mitigate issues that you report before making any information about the report public or sharing such information with others.
- You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
- You make an effort to avoid privacy violations and disruptions to other users of the systems and to APSIS as a business, including but not limited to attempting unauthorised access to data, interruption or degradation of our services, etc.
- You avoid exploiting a security issue that you discover for any reason beyond what’s needed to demonstrate it. APSIS will take full impact of the vulnerability into account when awarding bounties, even if you did not fully investigate all ramifications yourself.
- You do not intentionally violate any other applicable laws or regulations.
Bug bounty terms
To potentially qualify for a bounty, you first need to meet the following requirements:
- Follow our responsible disclosure policy (see above).
- Report a security bug: identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that APSIS ultimately determines the risk of an issue, and that many software bugs are not security issues.)
- Submit your report via email as outlined above. One issue per report. To qualify for a bounty the issue should be something that is not already known to Apsis and/or in active remediation.
- Respond to reports with requested feedback. Please do not contact employees directly or through other channels about a report.
- If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations or other confidential information) while investigating an issue, you must disclose this in your report.
- The bug bounty program is not open to current or former employees of Apsis, and/or their family or relatives.
APSIS will follow these guidelines when evaluating reports:
- We will endeavour to investigate and respond to all valid reports. We prioritise evaluations based on risk and multiple other factors, and it may take some time before you receive a reply.
- We determine bounty amounts based on a variety of factors, including impact, ease of exploitation and quality of the report. If we pay a bounty, the maximum reward we pay is SEK 50.000 but lower amounts are more typical and some reports may not qualify for a bounty at all despite being valid reports.
- We aim to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change over time. Past rewards do not necessarily guarantee similar results in the future.
- In the event of duplicate reports, we award a bounty to the first person to submit an issue. (APSIS determines duplicates and may not share details on the other reports.) A given bounty is only paid to one individual.
- We reserve the right to publish reports (and accompanying updates).