Skip to content

Vulnerability Disclosure & Bug Bounty Policy

Get BOB values the security of our platform and appreciates the efforts of security researchers who help us identify and responsibly disclose vulnerabilities.

This policy explains how to report security issues, how we handle vulnerability reports, and what researchers can expect from our program.

 

1. Our Program

Get BOB operates a responsible vulnerability disclosure program, not a guaranteed paid bug bounty program.

We welcome reports of legitimate security vulnerabilities that could affect the confidentiality, integrity, or availability of our systems or customer data.

We evaluate reports based on their demonstrated technical impact, reproducibility, exploitability, and practical risk. Hypothetical or speculative downstream impacts, without evidence of the claimed security consequence, will generally not affect severity classification.

By submitting a vulnerability report, you acknowledge that participation in this program is voluntary and subject to the terms of this policy.

 

2. Rewards

We may, at our sole discretion, choose to recognize or reward researchers for exceptional vulnerability reports.

However:

  • We do not guarantee monetary compensation.
  • We do not negotiate bounty amounts after receiving unsolicited reports.
  • Submission of a report does not create any obligation for Get BOB to provide payment, employment, consulting opportunities, public recognition, or any other compensation.
  • Any reward offered is entirely voluntary and determined solely by Get BOB.

Researchers who require guaranteed compensation or wish to provide paid security consulting services should obtain written authorization from Get BOB before conducting security testing.

Get BOB does not enter into pay-for-disclosure arrangements or negotiate advance payments in exchange for vulnerability information.

 

3. Typical Recognition

The following ranges are provided solely to help set expectations and are not guaranteed.

Severity Typical Recognition*
Informational No reward
Low No reward
Medium Up to $50 USD
High Up to $100 USD
Critical Up to $250 USD


*Illustrative only. Rewards are entirely discretionary and depend on the demonstrated impact of the vulnerability, the quality and originality of the report, whether the issue was previously known, and our available program budget.

 

4. Payment Method


If Get BOB elects to provide a monetary reward, payment will be made only by one of the following methods:

  • International bank wire transfer
  • Revolut transfer

We do not provide rewards through PayPal, Venmo, Cash App, Wise, cryptocurrency, gift cards, prepaid cards, or any other payment method.

Researchers are responsible for providing accurate payment details and for any taxes, fees, or charges associated with receiving a reward.

Get BOB may require reasonable identity verification and documentation before issuing any payment, including where required to comply with applicable laws, regulations, or financial institution requirements.

 

5. First Report Wins

Rewards and recognition are generally offered only once for each unique underlying vulnerability.
  • Eligibility is determined on a first come, first served basis.
  • The first sufficiently detailed report that allows us to reproduce and validate the issue will generally be considered the qualifying submission.
  • Duplicate reports, including reports of vulnerabilities we are already aware of or actively addressing, are generally not eligible for rewards.
  • Multiple reports describing the same underlying issue are treated as a single finding for reward purposes.


6. What To Report?

We are interested in vulnerabilities that could have a meaningful security impact, including:

  • Authentication or authorization bypass
  • Privilege escalation
  • Remote code execution
  • SQL injection or command injection
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Sensitive data exposure
  • Significant business logic flaws
  • Other vulnerabilities with a demonstrable and reproducible impact on the security of our platform or customer data.

Reports should include sufficient evidence to reproduce the issue and demonstrate the actual security impact observed.

Severity is determined by the demonstrated impact of the reported issue, not solely by CVSS scores, CWE classifications, theoretical attack chains, or hypothetical downstream consequences.

 

7. Out Of Scope

The following issues generally do not qualify for rewards and may not receive an individual response:

  • Missing or recommended HTTP security headers
  • Clickjacking without a demonstrated exploit
  • Missing SPF, DKIM, or DMARC records
  • SSL/TLS configuration recommendations without exploitable impact
  • Version disclosure or banner grabbing
  • Rate-limiting suggestions without demonstrated abuse
  • Information disclosed through publicly available sources
  • Best-practice recommendations
  • Self-XSS
  • Reports requiring unrealistic user interaction
  • Social engineering
  • Physical security issues
  • Denial-of-service or resource exhaustion testing
  • Third-party vulnerabilities outside Get BOB’s control
  • Issues already known to Get BOB
  • Duplicate reports
Reports generated primarily through automated scanners or AI tools without meaningful manual validation or a demonstrated security impact may be closed without further review and are generally not eligible for rewards.

 

8. Rules Of Engagement

When testing our systems, you agree to:

  • Act in good faith.
  • Avoid accessing, modifying, deleting, or retaining customer data.
  • Avoid disrupting our services or degrading their availability.
  • Stop testing once sufficient evidence has been obtained.
  • Report vulnerabilities promptly.
  • Keep vulnerability details confidential until Get BOB has had a reasonable opportunity to remediate the issue.
  • Comply with all applicable laws and regulations.

 

9. Safe Harbor

If you conduct security research in good faith and in accordance with this policy, Get BOB will not pursue legal action against you solely for activities that comply with this policy.

This safe harbor applies only to activities that comply with this policy and applicable law.

 

10. Response Process

While response times vary, we generally aim to:

  • Acknowledge receipt of reports within several business days.
  • Independently validate reported vulnerabilities and assess their demonstrated impact and severity.
  • Prioritize remediation based on risk and impact.
  • Provide updates when practical.
Due to the volume of reports and our available resources, we cannot guarantee detailed responses, timelines, or status updates for every submission.

 

11. Public Disclosure

Please do not publicly disclose vulnerability details until Get BOB has confirmed that the issue has been remediated or we have mutually agreed upon a disclosure timeline.

Failure to adhere to this requirement may affect eligibility for future participation in Get BOBs Vulnerability Disclosure & Bug Bounty Program.

 

12. Contact

Security reports should be submitted to:

privacy@getbob.ai

Please include:

  • A clear description of the vulnerability
  • Steps to reproduce
  • The affected URL, endpoint, or feature
  • An assessment of the potential impact
  • Proof of concept or supporting evidence, where applicable

 

This document was last updated on July 2, 2026