Vulnerability Disclosure & Bug Bounty Policy
Get BOB values the security of our platform and appreciates the efforts of security researchers who help us identify and responsibly disclose vulnerabilities.
This policy explains how to report security issues, how we handle vulnerability reports, and what researchers can expect from our program.
1. Our Program
Get BOB operates a responsible vulnerability disclosure program, not a guaranteed paid bug bounty program.
We welcome reports of legitimate security vulnerabilities that could affect the confidentiality, integrity, or availability of our systems or customer data.
We evaluate reports based on their demonstrated technical impact, reproducibility, exploitability, and practical risk. Hypothetical or speculative downstream impacts, without evidence of the claimed security consequence, will generally not affect severity classification.
By submitting a vulnerability report, you acknowledge that participation in this program is voluntary and subject to the terms of this policy.
2. Rewards
We may, at our sole discretion, choose to recognize or reward researchers for exceptional vulnerability reports.
However:
- We do not guarantee monetary compensation.
- We do not negotiate bounty amounts after receiving unsolicited reports.
- Submission of a report does not create any obligation for Get BOB to provide payment, employment, consulting opportunities, public recognition, or any other compensation.
- Any reward offered is entirely voluntary and determined solely by Get BOB.
Researchers who require guaranteed compensation or wish to provide paid security consulting services should obtain written authorization from Get BOB before conducting security testing.
Get BOB does not enter into pay-for-disclosure arrangements or negotiate advance payments in exchange for vulnerability information.
3. Typical Recognition
The following ranges are provided solely to help set expectations and are not guaranteed.
| Severity | Typical Recognition* |
| Informational | No reward |
| Low | No reward |
| Medium | Up to $50 USD |
| High | Up to $100 USD |
| Critical | Up to $250 USD |
*Illustrative only. Rewards are entirely discretionary and depend on the demonstrated impact of the vulnerability, the quality and originality of the report, whether the issue was previously known, and our available program budget.
4. Payment Method
If Get BOB elects to provide a monetary reward, payment will be made only by one of the following methods:
- International bank wire transfer
- Revolut transfer
We do not provide rewards through PayPal, Venmo, Cash App, Wise, cryptocurrency, gift cards, prepaid cards, or any other payment method.
Researchers are responsible for providing accurate payment details and for any taxes, fees, or charges associated with receiving a reward.
Get BOB may require reasonable identity verification and documentation before issuing any payment, including where required to comply with applicable laws, regulations, or financial institution requirements.
5. First Report Wins
Rewards and recognition are generally offered only once for each unique underlying vulnerability.- Eligibility is determined on a first come, first served basis.
- The first sufficiently detailed report that allows us to reproduce and validate the issue will generally be considered the qualifying submission.
- Duplicate reports, including reports of vulnerabilities we are already aware of or actively addressing, are generally not eligible for rewards.
- Multiple reports describing the same underlying issue are treated as a single finding for reward purposes.
6. What To Report?
We are interested in vulnerabilities that could have a meaningful security impact, including:
- Authentication or authorization bypass
- Privilege escalation
- Remote code execution
- SQL injection or command injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Sensitive data exposure
- Significant business logic flaws
- Other vulnerabilities with a demonstrable and reproducible impact on the security of our platform or customer data.
Reports should include sufficient evidence to reproduce the issue and demonstrate the actual security impact observed.
Severity is determined by the demonstrated impact of the reported issue, not solely by CVSS scores, CWE classifications, theoretical attack chains, or hypothetical downstream consequences.
7. Out Of Scope
The following issues generally do not qualify for rewards and may not receive an individual response:
- Missing or recommended HTTP security headers
- Clickjacking without a demonstrated exploit
- Missing SPF, DKIM, or DMARC records
- SSL/TLS configuration recommendations without exploitable impact
- Version disclosure or banner grabbing
- Rate-limiting suggestions without demonstrated abuse
- Information disclosed through publicly available sources
- Best-practice recommendations
- Self-XSS
- Reports requiring unrealistic user interaction
- Social engineering
- Physical security issues
- Denial-of-service or resource exhaustion testing
- Third-party vulnerabilities outside Get BOB’s control
- Issues already known to Get BOB
- Duplicate reports
8. Rules Of Engagement
When testing our systems, you agree to:
- Act in good faith.
- Avoid accessing, modifying, deleting, or retaining customer data.
- Avoid disrupting our services or degrading their availability.
- Stop testing once sufficient evidence has been obtained.
- Report vulnerabilities promptly.
- Keep vulnerability details confidential until Get BOB has had a reasonable opportunity to remediate the issue.
- Comply with all applicable laws and regulations.
9. Safe Harbor
If you conduct security research in good faith and in accordance with this policy, Get BOB will not pursue legal action against you solely for activities that comply with this policy.
This safe harbor applies only to activities that comply with this policy and applicable law.
10. Response Process
While response times vary, we generally aim to:
- Acknowledge receipt of reports within several business days.
- Independently validate reported vulnerabilities and assess their demonstrated impact and severity.
- Prioritize remediation based on risk and impact.
- Provide updates when practical.
11. Public Disclosure
Please do not publicly disclose vulnerability details until Get BOB has confirmed that the issue has been remediated or we have mutually agreed upon a disclosure timeline.
Failure to adhere to this requirement may affect eligibility for future participation in Get BOBs Vulnerability Disclosure & Bug Bounty Program.
12. Contact
Security reports should be submitted to:
Please include:
- A clear description of the vulnerability
- Steps to reproduce
- The affected URL, endpoint, or feature
- An assessment of the potential impact
- Proof of concept or supporting evidence, where applicable
This document was last updated on July 2, 2026