Program Rules

Maintaining top-notch security is a group effort and Silent Circle encourages independent security researchers to help us spot potential issues. To recognize such efforts and the important role they play in keeping the Silent Circle ecosystem safe we offer a bounty for reporting qualifying security vulnerabilities.

Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Rewards

Silent Circle may provide rewards to eligible reporters of qualifying vulnerabilities. The standard reward is $128.00 USD. Reward amounts may vary depending upon the severity of the vulnerability reported. Silent Circle will determine, in its discretion, whether a reward should be granted and the amount of the reward.

Eligibility and Responsible Disclosure

We are pleased to thank every researcher who submits valid reports that help us improve the security of the Silent Circle. However, only those that meet the following eligibility requirements may receive a reward:

• You must be the first reporter of a vulnerability;
• The vulnerability must be a qualifying vulnerability (see Scope);
• We can’t be legally prohibited from rewarding you;
• You may not publicly disclose the vulnerability prior to our resolution;
• Not be employed by Silent Circle or its subsidiaries or related entities.

The Fine Print

As a condition of participation in this program, you hereby grant Silent Circle, its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Silent Circle in connection therewith, for any purpose.

You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Silent Circle and any other party. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.

Targets

  • Silent Circle endpoint applications on supported OSes
  • Silent Circle network services and cloud infrastructure
  • Associated web sites and web services

Please read and follow the rules in the Standard Disclosure Terms.

The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Self-XSS and issues exploitable only through Self-XSS.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.