Program Active

Security Vulnerability
Reward Program

We take security seriously. If you discover a vulnerability in our platform, we want to hear from you — and we reward responsible disclosure generously.

Submit a Report
₹2,00,000
Maximum Reward
48 hrs
Initial Response
90 days
Disclosure Window
4 tiers
Severity Levels

Reward Tiers

Rewards are determined based on the CVSS score and real-world impact of the vulnerability. Amounts listed are in Indian Rupees (INR).

Critical

CVSS 9.0 – 10.0
  • Remote Code Execution (RCE)
  • Authentication bypass leading to full account takeover
  • SQL injection with mass data exfiltration
  • Privilege escalation to platform admin
  • Exposure of all user API keys
₹75,000 – ₹2,00,000
per valid report

High

CVSS 7.0 – 8.9
  • SSRF with access to internal services or cloud metadata
  • Significant PII or API key exposure (subset of users)
  • Broken authentication allowing impersonation
  • Unrestricted access to other users' logs or data
  • Insecure deserialization with remote code potential
₹15,000 – ₹75,000
per valid report

Medium

CVSS 4.0 – 6.9
  • Stored or Reflected Cross-Site Scripting (XSS)
  • CSRF with meaningful account or data impact
  • Insecure Direct Object References (IDOR)
  • Stack traces or verbose error messages exposing internals
  • Broken access control on non-sensitive admin routes
₹3,000 – ₹15,000
per valid report

Low

CVSS 0.1 – 3.9
  • Self-XSS with no meaningful attack surface
  • Missing security headers (CSP, HSTS, X-Frame-Options)
  • Minor rate-limiting gaps on low-impact endpoints
  • Non-sensitive information disclosure
  • Open redirect without chaining potential
₹500 – ₹3,000
per valid report

Scope

Only reports against the assets listed below are eligible for rewards.

In Scope

  • +apis.a-log.in (main platform and API gateway)
  • +Authentication and session management
  • +API key generation, storage, and validation
  • +All documented API endpoints (/api/*)
  • +Signup and login flows
  • +User wallet and billing logic
  • +Admin dashboard access controls

Out of Scope

  • Denial of Service (DoS / DDoS) attacks
  • Physical attacks against infrastructure
  • Social engineering of employees
  • Third-party services and integrations (Google reCAPTCHA, Vercel, Neon, etc.)
  • Vulnerabilities requiring physical access to a victim's device
  • Issues in outdated browsers or non-standard environments
  • Scanner-generated reports without proof of exploitability
  • Brute force attacks

How to Report

Follow these steps to submit a vulnerability report and maximize your chances of a valid reward.

01

Reproduce the Issue

Verify the vulnerability is reproducible and document exact steps to trigger it.

02

Assess Impact

Consider what data or systems could be accessed, modified, or disrupted.

03

Write Your Report

Include a clear title, description, reproduction steps, CVSS score estimate, and PoC.

04

Submit via Email

Send your report to security@a-log.in with the subject 'Bug Bounty Report'.

Report Template

Subject: Bug Bounty Report — [Brief Title]

**Vulnerability Type:** (e.g., SQL Injection, XSS, IDOR)
**Severity Estimate:** Critical / High / Medium / Low
**CVSS Score (optional):** X.X

**Description:**
[Explain the vulnerability clearly]

**Steps to Reproduce:**
1. ...
2. ...
3. ...

**Impact:**
[Describe what an attacker could achieve]

**Proof of Concept:**
[Screenshots, curl commands, or code snippets]

**Suggested Fix (optional):**
[Your recommendation]

Program Rules

By participating in this program you agree to the following responsible disclosure guidelines.

Do Not Disclose

Do not publicly disclose the vulnerability until it has been resolved and you have received written authorization from us.

Minimal Impact

Only access data necessary to prove the vulnerability. Do not modify, delete, or exfiltrate user data beyond a minimal PoC.

No Automated Scanning

Do not use automated scanners against production infrastructure without prior written approval.

Act in Good Faith

Do not engage in any activity that could harm users, disrupt services, or violate applicable laws.

One Report per Issue

Submit one report per unique vulnerability. Duplicate reports will credit the first reporter.

No Third-Party Testing

You may not test on behalf of another researcher or organization without explicit consent from both parties.

Safe Harbor

APIs.a-log.in will not pursue legal action against security researchers who discover and report vulnerabilities in good faith and in accordance with this policy. We consider security research conducted under this program to be authorized. We will work with you to understand and resolve issues quickly. We appreciate your help in keeping our platform secure and will recognize your contribution publicly (with your permission) in our Hall of Fame.

Hall of Fame

We gratefully acknowledge the researchers who have helped improve our security.

Be the first!

No reports yet. Discover a vulnerability and your name could be the first listed here.

Submit a Report