• Points – $3,500 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

8 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

Latest hall of famers

Recently joined this program


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

NeoPhotonics invites you to test and help secure our network perimeter. We appreciate your efforts and hard work in making us more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


This program will not use the Vulnerability Rating Taxonomy, but the following rating system due to the nature of the scope.

Neophotonics is looking to make sure their perimeter is secure, as such, ratings will follow some general guidelines:

  • P1 (Critical) - Compromise of Firewall system by the attacker. Unauthorized remote users getting into the network through bypassing the firewall rules.
  • P2 (Important) - Any issue where a full bypass of the Firewall, IDS, main routers, or issues where unencrypted traffic can be derived. For full rewards, please provide a proof of concept and detailed information.
  • P3 (Moderate) - Any issue where a information about the internal structure of a network can be gleaned
  • P4 (Low) - Any issue with a current CVE that does not fall under the above categories.

The Common Vulnerability Scoring System (CVSS) methodology will be used for generating the numerical score reflecting the vulnerability severity. The numerical score can then be translated into a qualitative representation (such as Critical, High, Medium or Low)

Priority CVSS $ Amount
P1 9.0-10 $2,500
P2 8.0-8.9 $2,000
P2 7.5-7.9 $1,500
P2 7.0-7.4 $1,000
P3 6.0-6.9 $500
P4 5.0-5.9 Kudos
P4 4.0-4.9 Kudos
P4 3.8-3.9 Kudos
P4 2.0-3.7 Kudos
P4 0.1-1.9 Kudos

It is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward range

Last updated

Technical severity Reward range
p1 Critical $1,750 - $3,500
p2 Severe $850 - $1,750
p3 Moderate $250 - $850
p4 Low Up to: $250
P5 submissions do not receive any rewards for this program.


In scope

Target name Type | China, Shenzhen | China Telecom Internet | Juniper SRX550-645AP Other | China, Shenzhen | China Telecom Internet | Cisco ASA5525 Other | China, Shenzhen | Hong Kong Internet | Juniper SRX240H2 Other | US, San Jose | San Jose ATT Internet | Juniper SRX240H2 Other | US, San Jose | San Jose ComCast Internet | Juniper SRX240H2 Other | Japan, Takao | Takao NTT Internet | Juniper SRX240H2 Other | Japan, Takao | Takao NTT Internet | Cisco ASA5515 Other | Japan, Hachioji | Internet Firewall | Juniper SRX240H2 Other | US, San Jose-2 | Comcast Internet | Cisco ASA5525 Other | US, San Jose-2 | ATT Internet | Cisco ASA5525 Other | US, San Jose | ATT Internet | Cisco ASA5525 Other

Testing is only authorized on the IP ranges listed as In-Scope. Any domain/property of Neophotonics not listed in the targets section is out of scope. This includes any/all ranges not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.


In the event that you're able to access something internally, please do not pivot into other areas, or attempt to find issues internally. This is mainly an external network perimeter test.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.