Intempt Bug Bounty Program

At Intempt, we take security and privacy very seriously. If you have discovered a qualified vulnerability within our predetermined scope, please report it via Capture The Bug, our trusted partner responsible for managing our Bug Bounty Program.

About the program

The bug bounty program ("Program") permits independent security researchers to report discovered security issues, bugs, or vulnerabilities in Intempt ("Bug") for a chance to earn rewards in the amount determined solely by Intempt for being the first one to discover a Bug, subject to compliance with eligibility and participation requirements ("Bounty").

Before reporting a Bug, please review these Bug Bounty Program Terms and Conditions ("Terms"). These Terms are concluded between You and Intempt ("Intempt"). By submitting any Bug to Intempt or otherwise participating in the Program, You agree to comply with these Terms. All matters not covered by these Terms shall be governed by the provisions of the Terms of Service. In case of any inconsistency or discrepancy between the Terms of Service and these Terms with regard to the Program, the Terms shall prevail.

If You do not agree with these Terms, please do not send any Submission (as defined below) to Intempt or otherwise participate in this Program. Your eligibility for a reward is based on the rules described in these Terms, and it remains entirely at Intempt’s discretion.


Eligibility Requirements

To be eligible to participate in the Program, You shall comply with all of the following requirements:

  1. You are at least 18 years of age or older.
  2. You are an individual researcher participating in the Program in Your own capacity; if You work for an organization, it is Your responsibility to comply with Your employer's rules and policies that would affect Your eligibility to participate in the Program;
  3. You are or were involved in any part of the development, administration, and/or execution of this Program;
  4. You are not an employee or an external staff member of Intempt or its affiliate;
  5. You are not an immediate family member of an employee or an external staff member of Intempt or its affiliate;
  6. You act in compliance with the national, state and local laws and regulations;
  7. You are neither residing in a country which is in the NZ, AU, EU or the USA trade or economic sanctions list, nor are you a person subjected to sanctions or restrictions imposed by New Zealand, Australia, the EU or the USA.

If you do not meet the eligibility requirements above or any other requirements in these terms (including any submission-specific requirements set out in the following section); or you breach any of these Program Terms or any other agreements you have with Intempt or its subsidiaries or affiliates; or we determine that your participation in the Program could adversely impact us, our affiliates or any of our customers, employees or agents, we, in our sole discretion, may remove you from the Program and disqualify you from receiving any benefit of the Bug Bounty Program.


Disclosure Policy and Confidentiality

Any non-public data you receive, obtain access to or collect about Intempt, Intempt affiliates or any Intempt users, customers, employees or agents in connection with the Bug Bounty Program is considered Intempt’s confidential information ("Confidential Information"). Our Confidential Information also includes any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure. Confidential Information does not include information that: (i) is or becomes known to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known or otherwise ceases to be confidential, except through a breach of this Agreement; or (iii) is independently developed by the receiving party.

Confidential Information must be kept confidential and only used: (i) in furtherance of the Intempt Bug Bounty Program in accordance with the Bug Bounty Terms, (ii) to make disclosures to Intempt under the Intempt Bug Bounty Program; or (iii) to provide any additional information that may be required by Intempt in relation to the submitted report. No further use or exploitation of Confidential Information is allowed. Upon Intempt's request, you will permanently erase all Confidential Information for any systems and devices.

You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Bug Bounty submitted report, without our prior explicit consent.


Program Rules


Do:

  • Accept and follow Intempt’s Bug Bounty Program Terms.
  • Perform testing only using accounts that are your own personal/test accounts.
  • Report your initial finding(s) and request authorization to continue testing, If you think you may cause, or have caused, damage with testing a vulnerability.
  • By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.
  • By making a Submission, you give us the right to use your Submission for any purpose.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Do NOT:

  • Do not leave any system in a more vulnerable state than you found it.
  • Do not brute force credentials or guess credentials to gain access to systems.
  • Do not participate in denial of service attacks.
  • Do not upload shells or create a backdoor of any kind.
  • Do not publicly disclose a Vulnerability without our explicit review and consent.
  • Do not engage in any form of social engineering of Intempt employees, customers, or partners.
  • Do not engage or target any Intempt’s employee, customer, or partner during your testing.
  • Do not attempt to extract, download, or otherwise ex-filtrate data that may have PII or other sensitive data other than your own.
  • Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.
  • Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.
  • Do not interact with accounts you do not own.

Response Targets

Intempt will make its best effort to meet the following SLAs for hackers participating in our program:

  • First Response: 2 days
  • Time to Triage: 3 - 10 days
  • Time to Bounty: up to 30 days
  • Time to Resolution: depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Report Quality

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. High-quality submissions allow our team to understand the issue better and engage the appropriate teams to fix. The best reports provide enough actionable information to verify and validate the issue without requiring any follow-up questions for more information or clarification.

Check the scope page before you begin writing your report to ensure the issue you are reporting is in scope for the program. Think through the attack scenario and exploitability of the vulnerability and provide as many clear details as possible for our team to reproduce the issue. A vulnerability must be verifiable and reproducible for us to be considered in-scope.

Please include your understanding of the security impact of the issue. Our bounty payouts are directly tied to security impact, so the more detail you can provide, the better. We cannot payout after the fact if we don’t have evidence and a mutual understanding of security impact. All reports must demonstrate security impact to be considered for bounty reward.

In some cases, it may not be possible to have all of the context on the impact of a bug. If you’re unsure of the direct impact, but feel you may have found something interesting, feel free to submit a detailed report and ask.

Video only proof-of-concepts (PoCs) will not be considered.

Bug Submission Requirements

For all submissions to Capture The Bug, please include:

  • A clear and concise explanation of the issue
  • Steps to reproduce the issue
  • The potential impact of the issue
  • Any potential mitigations or fixes for the issue

Failure to include any of the above items may delay or deny the Bounty Payment.


Creating Accounts for Vulnerability Research

In order to get access to our products and be able to test, you need to create accounts. You can do so by using the links provided on our website. 

Please use CaptureTheBug.XYZ (your name)  as the account’s user name for us to identify your testing traffic against our normal data. 

Scope

Bug Bounty Program Submissions pertaining to the following domains are deemed "in scope" and potentially eligible for payouts pursuant to the Program, subject to the additional requirements set forth in these Program Terms:

  1. app.Intempt.com
  2. cdn.Intempt.com
  3. api.Intempt.com/v1

Bug Bounty Program Submissions relating to the following domains are deemed not "in scope" and are not eligible for payouts pursuant to the Program:

  1. Any domain or subdomain not listed in the In Scope section is considered out of scope
  2. All domains hosted by a third-party service provider
  3. All staging/development environments unless explicitly mentioned in the In Scope section.


Reward Policy

Critical Severity Bugs ($500 - $1000)

Critical severity vulnerabilities likely lead to root level compromise of servers, applications, and other infrastructure components. If a critical vulnerability cannot be addressed within timelines as defined, an incident response ticket will be opened, documenting what interim remediation has been made.

  • Remote Code Execution
  • An SQL injection that could affect the functionality of the product, the customer's personal data, and any order data. Only commands with write permissions are considered critical, such as: update, insert, etc. But it is VERY IMPORTANT not to run such commands without our permission in our production environment. If you think that the SQL injection payload can execute commands with write permissions - let us know, we will provide you with the opportunity to test with test tables.
  • Privilege Escalation affecting users or admin access
  • And other critical-severity issues

High Severity Bugs ($200 - $500)


High severity vulnerabilities are typically difficult to exploit but could result in escalated privileges, significant data loss, and/or downtime.

  • SQL injection that does not directly affect the functionality of the product, but can be used for further more serious attacks, commands such as: select, sleep, etc. that have read permissions
  • Authentication/Authorization Bypass (Broken Access Control)
  • SSRF to an internal service, with extremely critical impact
  • Improper Direct Object Reference (IDOR), with extremely critical impact
  • Stored XSS that manipulates orders or customers
  • Directory Traversal - Local File Inclusion
  • And other high-severity issues

Medium Severity Bugs ($100 - $200)


Medium severity vulnerabilities usually require the same local network or user privileges to be exploited

  • Server misconfiguration or provisioning errors
  • Improper Direct Object Reference (IDOR)
  • Reflected XSS that manipulates orders and customers
  • Information leaks or disclosure (including customer personal data), e.g XSS that can expose customer information
  • Rate limiting or bruteforce (with personal data)
  • Descriptive error messages or headers (e.g. stack traces, application or server errors)
  • And other medium-severity issues

Low Severity Bugs ($50-$100)

Low severity vulnerabilities are likely to have very little impact on the business, they mostly require local system access.

  • Redirects and requests containing integer IDs (primary keys in our DB), we'll award one per resource, not per instance.
  • Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
  • Rate limiting or bruteforce without sensitive data
  • No other types of issues at this level will be considered for bounty

Out of Scope 

  • Attacks requiring physical access to a user's device
  • Any physical attacks against Intempt’s property or data centers
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Logout CSRF
  • Self XSS
  • CSV Injection
  • Scanner Outputs
  • Weak Captcha / Captcha bypass
  • HTTP Trace Method
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Issues related to software or protocols not under Intempt control
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Bugs requiring unlikely user interaction or rely on social engineering
  • Any activity that could lead to the disruption of our service (DoS).
  • Issues relating to unlocking client-side features in modified Intempt applications, attacks requiring MITM, rooted devices, or jailbroken devices
  • Open redirects unless they can demonstrate a higher security risk than phishing.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Missing best practices in SSL/TLS configuration.
  • Rate limiting or bruteforce issues
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Software version disclosure / Banner identification issues / Directory listing / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • General best practices related to CSP policies, lack of specific security headers, etc.


Legal

Intempt reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms.

By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.

By making a Submission, you give us the right to use your Submission for any purpose.

Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting.

Reward Policy

Previous bounty amounts are not considered a precedent for future bounty amounts. Bounty awards are not additive and are subject to change as our internal environment evolves. We determine the upper bound for security impact and award based on that impact.

When determining bounty amounts, we consider the security impact of any given issue things that influence security impact are the scale of exposure and the various mitigating and multiplying factors. Bounty payouts and amounts, if any, will be determined by us in our sole discretion. In no event are we obligated to provide a payout for any Submission. The format, currency, and timing of all bounty payouts shall be determined by us in our sole discretion. You are solely responsible for any tax implications related to any bounty payouts you may receive. If we receive several reports for the same issue, only the earliest valid report that meets requirements and provides enough actionable information to identify the issue may be considered for a bounty.

Please note that in case the submitted bounty is approved and the reward is assigned, the payment terms are net 30 days after the bounty approval date.


Safe Harbor

Activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you for research and vulnerability disclosure activities conducted in accordance with these Program Terms, or for accidental violations committed in a good-faith attempt to comply with these Program Terms. If legal action is initiated by a third party against you in connection with activities validly conducted under these Program Terms, we will take reasonable steps to make it known that your actions were conducted in compliance with these Program Terms. You are required, at all times, to comply with all applicable laws and not to disrupt any systems or data beyond activities expressly authorized by these Program Terms.

Please note, however, that we cannot bind third parties with these safe harbour provisions, and if your security research involves systems, networks, products, or services of a third party, that party could pursue legal action against you. We do not authorize research activities in the name of any other entities, and we do not offer to defend, indemnify, or otherwise protect against any third-party actions based on such activities.

If you submit a Bug bounty Program Submission that affects or relates to a service provided by a third party, we may share non-identifying content from your Bug Bounty Program Submission with the affected third party, provided that before doing so, we will obtain confirmation from the third party that the third party will not initiate legal action against you based on the contents of your Bug Bounty Program Submission. We reserve the right to determine in our sole discretion whether any conduct violates these Program Terms and whether any violations were accidental. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please email us at hey@Intempt.com with your questions.

No Warranties


INTEMPT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR GUARANTEES WITH RESPECT TO THE PROGRAM. YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER APPLICABLE LOCAL LAW, WE EXCLUDE ALL IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW LIMITING THE FOREGOING EXCLUSIONS. NOTHING IN THESE PROGRAM TERMS IS INTENDED TO AFFECT THOSE RIGHTS TO THE EXTENT APPLICABLE.

Indemnification


YOU SHALL INDEMNIFY AND HOLD Intempt AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, AGENTS, AND EMPLOYEES, HARMLESS FROM ALL CLAIMS, ACTIONS, PROCEEDINGS, DEMANDS, DAMAGES, LOSSES, COSTS, AND EXPENSES (INCLUDING REASONABLE ATTORNEYS' FEES), INCURRED IN CONNECTION WITH ANY MATERIALS SUBMITTED, POSTED, TRANSMITTED OR MADE AVAILABLE BY YOU THROUGH PARTICIPATION IN THE PROGRAM (INCLUDING ANY BOUNTY PROGRAM SUBMISSIONS YOU MAKE) AND/OR ANY VIOLATION BY YOU OF THESE PROGRAM TERMS, THE RIGHTS OF ANY THIRD PARTY, OR ANY APPLICABLE LAW OR REGULATION. 

This provision does not require you to indemnify Intempt for any unconscionable commercial practice by Intempt or for Intempt's fraud, deception, false promise, misrepresentation or concealment, suppression or omission of any material fact in connection with the Program.

Limitation of Liability


UNDER NO CIRCUMSTANCES SHALL Intempt BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY OR OTHER DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, ANY DAMAGES THAT RESULT FROM (I) YOUR USE OF OR YOUR INABILITY TO USE THIS WEBSITE, APP OR THE SERVICE, (II) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS, DATA, INFORMATION OR SERVICES, (III) ERRORS, MISTAKES, OR INACCURACIES IN THE MATERIALS ON THE WEBSITE, OR (IV) ANY ERRORS OR OMISSIONS IN ANY MATERIAL ON THE WEBSITE, OR ANY OTHER LOSS OR DAMAGE OF ANY KIND ARISING FROM OR RELATING TO YOUR USE OF THE WEBSITE. THESE LIMITATIONS SHALL APPLY EVEN IF Intempt HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, Intempt'S LIABILITY TO YOU FOR ANY DAMAGES ARISING FROM OR RELATED TO THESE PROGRAM TERMS (FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION), WILL AT ALL TIMES BE LIMITED TO THE GREATER OF (A) ONE HUNDRED DOLLARS ($100) OR (B) THE AGGREGATE AMOUNT OF ANY REWARDS YOU HAVE RECEIVED PURSUANT TO THE PROGRAM IN THE PRIOR 12 MONTHS (IF ANY). THE FOREGOING LIMITATIONS SHALL APPLY TO THE FULLEST EXTENSION PERMITTED BY LAW IN THE APPLICABLE JURISDICTION.