Skybriz Logo

security bug bounty program

This page defines what’s in scope, our testing rules and safe harbor, submission quality guidelines, and bounty tiers. Use the Submit Report tab above to send findings.

Scope

In-scope (examples):

  • Web: skybriz.com (production)
  • APIs: Public endpoints owned by Skybriz
  • Apps: SKYNEST iOS/Android (current public versions)

Out of scope (non-exhaustive):

  • DoS/stress tests, spam, social engineering, physical attacks
  • Self-XSS, clickjacking on non-sensitive pages, missing SPF/DMARC alone
  • Vulns in 3rd-party services we don’t control
  • “Theoretical” issues with no realistic impact or device-jailbreak-only vulns (unless stated otherwise)

Rules & Safe Harbor

  • Do not disrupt service, destroy data, or access more data than necessary to demonstrate impact.
  • Only test accounts you own (or ones we provide). No real user PII in reports—use redaction.
  • Respect rate limits; avoid automated scans that degrade availability.
  • Safe Harbor: We authorize good-faith research on in-scope assets. If you follow these rules, we won’t pursue legal action. If third parties are involved, we’ll make this authorization known.
  • No public disclosure until we confirm a fix or grant written permission.

How to Submit

Include the following for faster triage and higher bounty eligibility (submit via the tab above):

  • Title · Asset/URL · Affected endpoint/screen
  • Steps to reproduce (numbered), Expected vs. Actual, Impact
  • PoC (curl/HTTPie, minimal video, or Postman). No real user data.
  • Optional: CVSS vector/score
  • Researcher email and preferred credit name/handle

Rewards & Recognition

First valid report per root cause is eligible for bounty. Duplicates are not rewarded, but we may credit materially stronger write-ups or exploit chains. Rewards reflect our current startup phase and may grow over time.

TierSeverity (examples)Reward (USD)
Gold Critical: authentication bypass, mass data exfiltration, RCE $100
Silver High: privilege escalation, access to another user’s data, stored XSS on sensitive flows $50
Bronze Medium/Low: IDOR on limited data, reflected XSS with impact, exploitable misconfigurations $25
Recognition Informational / best-practice improvements with low/no exploitable impact Hall of Fame credit

Public credit is optional via our Security Hall of Fame. We may also issue digital certificates and social acknowledgments.

Response & Payment SLAs

  • Triage acknowledgment: within 3 business days
  • Status updates: weekly until resolution
  • Payouts: within 14 days of fix/acceptance (USD via PayPal/ACH; compliance forms may be required)

Eligibility

  • Comply with local laws, participants from sanctioned regions may be ineligible for payment.
  • No current Skybriz employees/contractors unless explicitly allowed.
  • No extortion or ransom conditions.

Third-party & Out-of-Scope specifics

Issues found in third-party platforms we don’t control should be reported upstream. If you’re unsure, include details in your submission—our team will route appropriately.

Contact

Email: security@skybriz.com

By accessing, testing, or submitting to this program, you acknowledge that you have read and Skybriz’s Bug Bounty Policy (PDF) , including the Rules & Safe Harbor above. Testing outside of the defined scope is prohibited, and public disclosure without written permission is not allowed.