We welcome responsible security research and appreciate ethical hackers who help identify vulnerabilities in our platform. This policy outlines the process for submitting reports, what qualifies for a bounty, and the terms under which we engage.
Only testing against explicitly approved ConveYour-owned domains is permitted. These environments are non-production and not associated with client data.
Customer accounts or data
Client-specific subdomains or sandboxed environments
Third-party platforms not operated by ConveYour
🚫 Any testing that targets live production, affects customers, or is performed without explicit approval is strictly prohibited and disqualifies the report from bounty eligibility.
To submit a vulnerability:
Email [email protected]
Include:
A detailed description of the vulnerability
Clear, reproducible steps
Proof-of-concept or screenshots
Assessment of potential impact
Submissions without sufficient detail or reproducibility will not be eligible for review.
If you follow this policy and act in good faith, we consider your security research to be authorized conduct. We will not pursue legal action against you for discovering and reporting vulnerabilities within the scope of this policy.
This does not apply to testing that involves unauthorized access to customer data, denial-of-service attempts, or any activity prohibited in the scope section above.
Reward amounts are determined based on severity, impact, and clarity of the report. These are general guidelines:
High ($1000-$5000)
Medium ($500-$999)
Low ($150-$499)
Informational/Out-of-scope ($0)
Flat payments of $150 may be issued for verified low-severity issues at ConveYour’s discretion.
PayPal only — we do not process payments through other channels.
We pay in United States Dollars (USD) only.
We will not pay conversion fees to foreign dollars.
Payment may take up to 30 days following validation and internal review.
We do not pay for:
Duplicate or already-reported vulnerabilities
Automated scanner reports without meaningful impact
Reports that cannot be reproduced by our team
We ask that you do not disclose vulnerabilities publicly without our written approval. We are open to working with you on a coordinated disclosure timeline once the issue has been verified and resolved.
We will not engage with individuals who:
Demand payment before providing full details
Withhold key information as leverage
Submit vague or intentionally misleading reports
Use aggressive, manipulative, or threatening behavior
Attempts to exploit the bounty process in bad faith may result in permanent disqualification from future participation.
Researchers who consistently demonstrate professionalism and produce high-quality findings may be invited to engage further. This could include:
Defined scopes of work
One-off consulting agreements
Non-disclosure agreements (NDAs) as appropriate
We value productive, long-term relationships with those who help us strengthen our platform.
We’re a lean team that takes security seriously. If you’re here to help in good faith, we’ll treat you with the same. Thank you for contributing to the safety and integrity of ConveYour.
