Introduction to Spark Hire’s Bug Bounty Policy
How they’re submitted
Per our Privacy and Security Policy, security researchers may submit potential vulnerabilities to security(at)sparkhire.com.
How we assess submissions
When a potential vulnerability is reported, we will create an issue in our ticket tracking system. To treat all researchers fairly, submissions will be attributed to the first researcher who reports the potential issue. From there, we will analyze and discuss it. Future submissions of the same issue will be classified as a duplicate and not be considered for a reward. If we can reproduce the issue, we will assign a severity. We welcome guidance on severity from the submitter, but ultimately we may choose a different severity rating. See the table below for our typical classification guidelines. Based on the classification, we determine next steps for remediation in accordance with the remediation timeline.
The SLAs defined below are the maximum SLA for remediation, not our goal or our average timeline.
| Classification | Definition | Remediation SLA | Payout |
|---|---|---|---|
| Critical | Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices. | 30 Days | $500 |
| High | Exploitation could result in a significant data loss, exfiltration, or downtime. | 30 Days | $250 |
| Medium | Vulnerabilities where exploitation provides only very limited access or require user privileges for successful exploitation. | 60 Days | $100 |
| Low | Vulnerabilities in the low range typically have very little impact on an organization’s business. | 120 Days | $25 |
| Informational | Vulnerabilities that have no practical attack vector or pose no measurable risk. | None | None |
When the remediation is performed, tested, and released to production, we will contact the security researcher who reported the vulnerability so they can confirm it is remediated from their perspective as well. Upon confirmation from the security researcher, we determine (and make) the payout.
Important Guidelines
- Out of respect for our team’s time, please do not reach out for updates regarding your submission. We will provide you with an update as soon as one is available. Researchers that continuously violate this guideline will be removed from our program as a trusted researcher.
- We expect all researchers who participate in this program to act responsibly. Continuous replies to the results of our investigation or threats will not be tolerated. Researchers that continuously violate this guideline will be removed from our program as a trusted researcher.
As always, if you have any questions or concerns about our handling of personal information, you may contact our privacy officer at privacy(at)sparkhire.com. Spark Hire reserves the right to change, modify, or remove this policy at any time.