Bug bounty program suspended due to Covid-19
ReadyTech Bug Bounty Policy
Readytech (“we”, “us” or “our”) believes that working with skilled security specialists across the globe is crucial in identifying weaknesses in any technology. We welcome researchers to work with us in
identifying any issues according to the program rules described in this policy.
ReadyTech welcomes responsible disclosure of any vulnerability found in its sites in order to get the best possible security for its services.
The following sites are included in the bug bounty program:
Other sites are not eligible. These include unreleased products and sites developed and/or hosted by 3rd parties. Our marketing site (readytech.com, readytechtest.wpengine.com) is developed and hosted by a 3rd party and therefore not eligible under this program.
4.1 How to Participate
- All security specialists an introduction email to approved in our screening process. The email must include, but not limited to:
- Full Name.
- Phone Number – it’s necessary, because ReadyTech might need to contact you in case the testing interferes with our service.
- Verifiable social media account (e.g. Linkedin, Facebook, Instagram, etc).
- Background experience.
- The expected date to start and finish testing analysis.
- Selected participants will be contacted by ReadyTech with an authorization message.
- ReadyTech reserves the right to refuse participants’ requests without additional information.
- Failure to pre-register automatically disqualifies the candidate from participating in the program and any reported issues will not be compensated.
- ReadyTech employees are not eligible for participation in this program.
4.1.2 Participants Guidelines
- Interested security specialists must agree and adhere to the Program Rules as stated in this policy.
- Vulnerabilities analysis must be executed only for ReadyTech eligible sites (Scope) and respecting the Responsible Disclosure (Topic 5.2);
- ReadyTech encourages the participants to consolidate all vulnerabilities identified in one unique report.
- ReadyTech takes information security very seriously, therefore standards or basic vulnerabilities scans are not welcome as its potential risks are already covered by our internal processes. information security very seriously, therefore standards or basic vulnerabilities scans are not welcome as its potential risks are already covered by our internal processes.
- Participants must be available to supply additional information, as needed by the ReadyTech team, to reproduce and triage any issue.
- Due to the varying and complex nature of technical issues, ReadyTech does not have firm timelines for analyzing findings under the Bug Bounty Program.
4.2 Responsible Disclosure
The participants must comply with the principles of responsible disclosure, which include, but are
not limited to:
- Accessing, modifying or exposing only customer data that is your own.
- Avoiding scanning techniques that are likely to cause degradation of service to other ReadyTech
customers (e.g. by overloading the site).
- Keeping within the guidelines of ReadyTech’s Terms Of Service.
- Keeping details of vulnerabilities secret until ReadyTech has been notified and had a reasonable amount of time to fix the vulnerability.
4.3 Bounty Eligibility
- Reports received without prior participant approval won’t be eligible for a bounty.
- Only vulnerabilities found on eligible sites (Scope) will be acceptable.
- ReadyTech engineers must be able to reproduce the security flaw reported.
- The submission must be accepted as valid by ReadyTech according to the principles of this policy
4.3.1 Vulnerabilities Classification
Examples of Qualifying Vulnerabilities:
- Authentication flaws
- Circumvention of our
- Platform/Privacy permissions model
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- Mixed-content scripts
- Server-side code execution
Examples of Non-Qualifying Vulnerabilities
- Denial of Service vulnerabilities (DOS)
- Possibilities to send malicious links to people you know
- Security bugs in third-party websites that integrate with ReadyTech
- Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
ReadyTech Bug Bounty Program provides a monetary reward for the participants who report us with any qualifying vulnerability.
Reward requirements applies as follows:
- Only 1 bounty will be awarded per vulnerability.
- If ReadyTech receives multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
- You cannot report the same vulnerability on multiple pages or applications to receive additional compensation.
- The minimum bounty amount for a validated bug submission is $50 USD and the maximum bounty for a validated bug submission is $300 USD.
- All bounty amounts will be determined at the discretion of ReadyTech based on severity, impact, and quality.
- The reward can only be provided for residents of a country not on U. S. sanctions lists (e.g. Cuba, Iran, North Korea, Sudan & Syria).
Participants must be oriented to email ReadyTech at firstname.lastname@example.org with any questions about the program.