This document outlines the AI Platform Bug Bounty Program, designed to encourage security researchers and ethical hackers to identify and report security vulnerabilities in our platform responsibly.
- Web Applications: aiplatform.io and all subdomains
- API Endpoints: All public and private API endpoints
- Mobile Applications: Official AI Platform mobile apps
- Desktop Applications: Official AI Platform desktop apps
- Infrastructure: Cloud infrastructure and services
- SDKs: All official software development kits
- Documentation: Official documentation sites
- Physical security: Physical access to servers or facilities
- Social engineering: Phishing, vishing, or other social engineering attacks
- Denial of service: DDoS, DoS, or other service disruption attacks
- Spam: Unsolicited bulk messaging or content
- Third-party services: Services not directly operated by AI Platform
- Previously reported issues: Vulnerabilities already reported or known
- Vulnerabilities in unsupported versions: Issues in versions no longer supported
- Remote code execution
- Privilege escalation to admin/system
- Authentication bypass
- SQL injection with data exfiltration
- Remote file inclusion
- Cryptographic weaknesses leading to data compromise
- Cross-site scripting (XSS) with user impact
- Cross-site request forgery (CSRF) with significant impact
- Insecure direct object references
- Security misconfigurations with data exposure
- Broken access control
- Server-side request forgery (SSRF)
- Cross-site scripting (XSS) with limited impact
- Information disclosure
- Weak cryptographic implementations
- Session management issues
- Insecure deserialization
- Business logic flaws
- Minor information disclosure
- Clickjacking
- Weak password requirements
- Missing security headers
- Directory listing
- Debug information exposure
| Severity | Reward Range | Examples |
|---|---|---|
| Critical | $5,000 - $15,000 | RCE, Authentication Bypass |
| High | $1,500 - $5,000 | XSS, CSRF, SSRF |
| Medium | $500 - $1,500 | IDOR, Misconfigurations |
| Low | $50 - $500 | Info Disclosure, Clickjacking |
- First-time reporters: 10% bonus for first valid submission
- High-quality reports: Up to 25% bonus for exceptional detail
- Multiple vulnerabilities: 10% bonus for related vulnerability chains
- Zero-day discoveries: Up to 50% bonus for previously unknown vulnerabilities
- PayPal: Fast processing, worldwide availability
- Bank Transfer: For larger rewards, direct deposit
- Cryptocurrency: Bitcoin, Ethereum (for international researchers)
- Gift Cards: Amazon, Steam (for researchers under 18)
- Discovery: Identify a potential vulnerability
- Documentation: Prepare a detailed report
- Submission: Submit through the official portal
- Triage: Our team reviews and validates the report
- Resolution: We work to fix the vulnerability
- Reward: Payment issued after successful resolution
A complete vulnerability report must include:
- Title: Clear, descriptive title
- Severity: Your assessment of the vulnerability severity
- Description: Detailed explanation of the vulnerability
- Steps to Reproduce: Clear, step-by-step reproduction guide
- Impact: Explanation of potential impact
- Affected Components: Specific systems, endpoints, or features affected
- Proof of Concept: Working example or demonstration
## Vulnerability Report
### Summary
Brief overview of the vulnerability
### Description
Detailed technical explanation of the vulnerability
### Steps to Reproduce
1. Navigate to [endpoint]
2. Perform [specific action]
3. Observe [vulnerable behavior]
### Expected Behavior
What should happen
### Actual Behavior
What actually happens
### Proof of Concept
```http
GET /api/v1/vulnerable-endpoint HTTP/1.1
Host: api.aiplatform.io
Authorization: Bearer [REDACTED]
HTTP/1.1 200 OK
Content-Type: application/json
{
"sensitive_data": "exposed_information"
}Explanation of potential impact if exploited
Optional: Your suggestions for fixing the vulnerability
### Submission Portal
- **URL**: https://hackerone.com/aiplatform
- **Email**: security@aiplatform.io (for sensitive reports)
- **PGP Key**: Available at https://aiplatform.io/security/pgp-key.txt
## 5. Rules and Guidelines
### Responsible Disclosure
- **No exploitation**: Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- **No data access**: Do not access, modify, or delete user data
- **No denial of service**: Do not perform attacks that disrupt service
- **No social engineering**: Do not use phishing or other social engineering techniques
- **No physical access**: Do not attempt to gain physical access to systems
### Prohibited Activities
- **Automated scanning**: No automated tools without prior permission
- **Third-party impact**: Do not test third-party services
- **User impact**: Do not impact other users or their data
- **Public disclosure**: Do not publicly disclose vulnerabilities before resolution
- **Multiple submissions**: Do not submit the same vulnerability multiple times
### Legal Safe Harbor
We will not pursue legal action against researchers who:
- Make a good faith effort to avoid privacy violations
- Do not modify or destroy data
- Do not disrupt services
- Follow responsible disclosure practices
- Comply with all program rules
## 6. Program Policies
### Duplicate Reports
- **First reporter**: Full reward for the first valid report
- **Subsequent reporters**: Recognition only for duplicate reports
- **Simultaneous reports**: Shared reward for reports submitted within 24 hours
### Reward Determination
Factors considered when determining rewards:
- **Severity**: Impact and exploitability of the vulnerability
- **Quality**: Clarity and completeness of the report
- **Uniqueness**: Novelty of the vulnerability
- **Timeliness**: How quickly the report was submitted
- **Cooperation**: Researcher's cooperation during resolution
### Timeline Expectations
- **Initial response**: Within 3 business days
- **Triage**: Within 7 business days
- **Resolution**: Within 30-90 days depending on severity
- **Reward payment**: Within 14 days of resolution
## 7. Hall of Fame
### Recognition Program
We recognize outstanding contributors in our Hall of Fame:
- **Platinum Researchers**: 5+ critical vulnerabilities
- **Gold Researchers**: 10+ high vulnerabilities
- **Silver Researchers**: 25+ medium vulnerabilities
- **Bronze Researchers**: 50+ low vulnerabilities
### Public Recognition
- **Annual awards**: Recognition at security conferences
- **Researcher spotlight**: Featured interviews and profiles
- **Conference invitations**: Invitations to speak at events
- **Swag rewards**: Branded merchandise and gifts
## 8. Communication Guidelines
### Preferred Communication
- **HackerOne**: Primary platform for all communications
- **Email**: security@aiplatform.io for sensitive matters
- **Encryption**: PGP encryption required for sensitive communications
### Response Expectations
- **Business hours**: Responses during standard business hours (9AM-5PM UTC)
- **Urgent issues**: 24/7 response for critical security issues
- **Status updates**: Weekly updates during active resolution
- **Resolution notification**: Notification when fix is deployed
## 9. Vulnerability Disclosure Policy
### Disclosure Timeline
- **Critical**: 90 days from report to public disclosure
- **High**: 90 days from report to public disclosure
- **Medium**: 90 days from report to public disclosure
- **Low**: 90 days from report to public disclosure
### Early Disclosure
Early disclosure may be permitted for:
- **Active exploitation**: If vulnerability is being actively exploited
- **Vendor coordination**: When coordinating with other vendors
- **Researcher needs**: For academic or research purposes (with approval)
### Credit Policy
- **Full credit**: Researchers receive full credit for their discoveries
- **Anonymity**: Researchers may request anonymous disclosure
- **Company credit**: AI Platform receives credit for fixes and mitigations
## 10. Program Management
### Team Structure
- **Program Manager**: Oversees overall program operations
- **Triage Team**: Reviews and validates vulnerability reports
- **Engineering Team**: Implements fixes and mitigations
- **Legal Team**: Handles legal and compliance matters
- **Communications Team**: Manages external communications
### Continuous Improvement
- **Quarterly reviews**: Regular program evaluation and improvement
- **Researcher feedback**: Regular surveys and feedback collection
- **Industry benchmarking**: Comparison with other bug bounty programs
- **Technology updates**: Adoption of new tools and processes
### Metrics and Reporting
```python
# bug_bounty_metrics.py
class BugBountyMetrics:
def __init__(self):
self.reports_submitted = 0
self.reports_valid = 0
self.reports_resolved = 0
self.total_rewards = 0
self.average_response_time = 0
def calculate_metrics(self):
"""Calculate key program metrics"""
metrics = {
"acceptance_rate": self.reports_valid / self.reports_submitted * 100,
"resolution_rate": self.reports_resolved / self.reports_valid * 100,
"average_reward": self.total_rewards / self.reports_resolved,
"response_time": self.average_response_time
}
return metrics
def generate_report(self):
"""Generate monthly program report"""
metrics = self.calculate_metrics()
report = {
"period": "monthly",
"metrics": metrics,
"improvements": self.suggest_improvements(metrics)
}
return report
- Sandbox environment: Isolated testing environment for researchers
- Test accounts: Dedicated accounts for testing purposes
- Documentation: Comprehensive API and system documentation
- Support: Dedicated support for researchers
- API documentation: Complete API reference and examples
- SDKs: Official software development kits
- Sample data: Test data for various scenarios
- Testing tools: Recommended tools for vulnerability testing
- Webinars: Regular security training sessions
- Documentation: Comprehensive security guides
- Community: Access to security researcher community
- Certifications: Support for security certifications
- GDPR: Compliance with data protection regulations
- SOX: Compliance with financial reporting requirements
- ISO 27001: Information security management standards
- PCI DSS: Payment card industry compliance (if applicable)
- Terms of service: Clear terms for program participation
- Liability protection: Legal protection for good faith researchers
- Data protection: Protection of personal and sensitive data
- Intellectual property: Respect for intellectual property rights
The AI Platform Bug Bounty Program represents our commitment to security and responsible vulnerability disclosure. By working with the security research community, we can identify and address potential security issues before they can be exploited maliciously.
We encourage all security researchers to participate in our program and help us maintain the highest standards of security for our users.
Program Launch Date: January 15, 2026 Program Manager: security@aiplatform.io HackerOne Profile: https://hackerone.com/aiplatform
This document is subject to change. Last updated: December 28, 2025