Program Rules

Maintaining top-notch security is a group effort and Silent Circle encourages independent security researchers to help us spot potential issues. To recognize such efforts and the important role they play in keeping the Silent Circle ecosystem safe we offer a bounty for reporting qualifying security vulnerabilities.

Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Rewards

Silent Circle may provide rewards to eligible reporters of qualifying vulnerabilities. Reward amounts vary depending upon the severity of the vulnerability reported. Typically, the reward payout is (US) $1024 for P1, $512 for P2, $256 for P3, and $128 for P4 vulnerabilities. Silent Circle will determine, in its discretion, whether a reward should be granted and the amount of the reward.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. "Not Applicable" (P5) bugs will be outlined in the VRT.

Targets

  • Blackphone OS 2.0 and higher
  • Silent Phone Android
  • Silent Phone iOS
  • *silentcircle.com
  • *silentcircle.org
  • *blackphone.ch
  • Silent Circle endpoint applications on supported operating systems
  • Silent Circle network services and cloud infrastructure

Any domain/property of Silent Circle not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Eligibility and Responsible Disclosure

We are pleased to thank every researcher who submits valid reports that help us improve the security of the Silent Circle ecosystem. However, only those that meet the following eligibility requirements may receive a reward:

• You must be the first reporter of a vulnerability;
• The vulnerability must be a qualifying vulnerability (see Scope);
• We can’t be legally prohibited from rewarding you;
• You may not publicly disclose the vulnerability;
• Not be employed by Silent Circle or its subsidiaries or related entities.

The Fine Print

As a condition of participation in this program, you hereby grant Silent Circle, its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Silent Circle in connection therewith, for any purpose.

You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Silent Circle and any other party. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.

Please note that we are no longer accepting submissions for Blackphone 1. Only submissions for the Blackphone 2 OS 2.0 and above will be reviewed.

Rules

This bounty follows Bugcrowd’s standard disclosure terms.