Security Bounty Program


The Program applies to security vulnerabilities found within the GFAL Platform Environment, which encompasses websites, APIs, mobile applications, and other digital services. Vulnerabilities associated with any third-party services, products, or external organizations are out-of-scope and ineligible for bounty rewards.

A security vulnerability is a flaw or weakness in the system that could be exploited to compromise the integrity, availability, or confidentiality of the platform or its users' data. To be eligible for a reward, submissions must pertain to a new, previously unreported vulnerability. High-impact vulnerabilities are of particular interest, but any issue that poses a realistic threat to the GFAL Platform, its users, or the broader digital community may be considered.

Reporting Process

Vulnerabilities should be reported via the platform provided, with sufficient details and reproduction steps. Acknowledgment of receipt will typically be provided within one business day. Duplicate submissions are ineligible for rewards, and updates on ongoing remediation efforts may not be available until resolution.

Submit a Report


Characteristics of interest include, but are not limited to, vulnerabilities that:

  • Compromise user data confidentiality or integrity
  • Enable unauthorized access or privilege escalation
  • Bypass security controls
  • Allow remote code execution
  • Are reliably exploitable (not purely theoretical)


Certain types of vulnerabilities are excluded from the program, including:

  • Attacks against the GFAL Platform's infrastructure
  • Social engineering and physical attacks
  • Large-scale DDoS attacks
  • Vulnerabilities less than 90 days from patch release
  • Usability issues and non-security-related bugs
  • Issues in third-party products or services
  • Duplicate reports of previously identified issues
Submitters must not be employed by, or directly affiliated with, the GFAL Platform and must not disclose vulnerabilities to any third parties prior to reporting and resolution.

Awarding Process

Awards are granted for resolved vulnerabilities, ranging from $50 to $3,000, depending on severity, impact, exploitability, and report quality. The decision criteria are at the sole discretion of the GFAL Platform.

Frequently Asked Questions

The FAQ section would cover common queries, clarify program specifics, and provide guidance on submitting high-quality reports.

Eligible submissions include new, previously unreported security vulnerabilities found within the GFAL Platform Environment, including websites, APIs, mobile applications, and digital services. Issues with third-party services, products, or external organizations are not eligible.

We consider vulnerabilities that compromise user data confidentiality or integrity, enable unauthorized access or privilege escalation, bypass security controls, allow remote code execution, and are reliably exploitable.

Awards are granted after the vulnerability is resolved. The award amount ranges from $50 to $3,000, based on severity, impact, exploitability, and report quality.

Submit detailed, high-quality reports with sufficient details and reproduction steps. Focus on high-impact vulnerabilities and ensure your findings are new and previously unreported.

A well-written report clearly describes the vulnerability, includes steps to reproduce the issue, provides evidence or a proof-of-concept, and assesses the potential impact.

Remediation times vary depending on the complexity and severity of the issue. We strive to acknowledge reports within one business day and will update you once the issue is resolved.

We may be unable to provide ongoing updates during the remediation process. Rest assured, all submissions are reviewed and we’ll reach out if additional information is needed.

While confidentiality is a key part of our program, you can request anonymized acknowledgment or a reference from us once the issue is resolved and publicly disclosed.

A duplicate submission is a report about a vulnerability that has already been submitted by someone else. We try to notify submitters of duplicate reports as soon as possible.

Reports might be rejected if they fall into excluded categories, like non-security-related bugs, issues in third-party products, or vulnerabilities less than 90 days from patch release. Unvalidated redirects and forwards might not meet our criteria for a significant security threat.


Program Terms and Conditions

Terms and conditions for the program are as follow:

  • "GFAL Platform" refers to GFAL Platform Services, and its affiliates.
  • Submissions must comply with all legal requirements.
  • Employees and affiliates are ineligible for rewards.
  • Reports must be submitted promptly and kept confidential.
  • Rewards and recognition are at the discretion of the GFAL Platform.
  • Tax responsibilities lie with the recipient.
  • Testing must be conducted ethically and responsibly, without violating any laws or compromising any data.

The GFAL Platform reserves the right to modify or discontinue the program at any time.