Skip to main content
All CollectionsSupport
Bug Bounty Program
Bug Bounty Program
Updated over 2 weeks ago

Introduction

Level All is committed to the security of our products and services. We value the contributions of security researchers and appreciate your efforts in helping us identify and resolve vulnerabilities. This bug bounty program outlines the scope, rules, and rewards for reporting security vulnerabilities to us.

Scope

This program covers the following assets:

Out-of-scope vulnerabilities include:

  • Denial-of-service attacks, social engineering, physical security testing, vulnerabilities in third party applications or services, automated scanning results without proof of exploitability, missing security headers on non-sensitive pages

Rules and Guidelines

  • Responsible Disclosure: Submit vulnerability reports responsibly and in good faith. Do not publicly disclose vulnerabilities before they have been resolved.

  • Testing: Only test against assets within the scope of this program. Do not attempt to access or modify data that does not belong to you. Do not perform actions that could disrupt our services.

  • Confidentiality: Keep vulnerability information confidential. Do not share it with third parties.

  • Reporting: Submit detailed vulnerability reports, including:

    • A clear description of the vulnerability.

    • Steps to reproduce the vulnerability.

    • Proof of concept (e.g., screenshots, videos, code).

    • Potential impact of the vulnerability.

    • Your contact information.

  • Communication: We will acknowledge your report and keep you informed of the progress of our investigation.

  • Eligibility: Only the first reporter of a valid vulnerability will be eligible for a bounty.

  • No Duplicates: If a vulnerability has already been reported internally or by another researcher, it will not be eligible for a bounty.

  • No automated scanning: Automated scanning of our systems is prohibited without express permission.

  • Legal: You must comply with all applicable laws.

Reward Tiers

Rewards will be determined based on the severity of the vulnerability, as determined by the Common Vulnerability Scoring System (CVSS).

  • Critical: $1000

  • High: $500

  • Medium: $100

  • Low: $50

  • Informational: No monetary reward.

Examples of vulnerability types and their relative severity

  • Critical: Remote code execution, SQL injection, authentication bypass.

  • High: Cross-site scripting (XSS), cross-site request forgery (CSRF), sensitive data exposure.

  • Medium: Insecure direct object references (IDOR), missing security headers, information disclosure.

  • Low: Clickjacking, minor information disclosure.

Reporting Process

Please submit vulnerability reports to: help@levelall.com

Legal

Level All reserves the right to modify or terminate this program at any time. By participating in this program, you agree to these terms and conditions.

Safe Harbor

We will not pursue legal action against researchers who comply with the rules and guidelines of this program.

Disclaimer

Level All makes no guarantees regarding the payment of bounties. All bounty decisions are at the sole discretion of Level All.

Privacy

Any personal information you provide will be used in accordance with our privacy policy.

Thank you for helping us improve the security of our products and services!

Did this answer your question?