Snatch App ® Bug Bounty Program
Security is a collaboration
Our team is committed to protecting our users. No technology is perfect, and Snatch App believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our messaging platform, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Like other major technology companies, Snatch App incentivizes security researchers to report security vulnerabilities in Snatch App technologies to us to enable a coordinated response and minimize the risk to persons potentially subject to or affected by the vulnerability. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
To qualify for a reward under this program, you must:
- Be the first to report a specific vulnerability.
- Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
- Disclose the vulnerability report responsibly to us. Public disclosure or disclosure to other third parties – including vulnerability brokers – before we addressed your report forfeit the reward.
- Demonstrate care in reproducing the vulnerability. In particular, test only on accounts you own and do not attempt to view or tamper with data belonging to others.
We will reward reports according to their severity on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs; we may also pay less for bugs with complex prerequisites that lower risk of exploitation. Qualifying security vulnerabilities can be rewarded with up to $100,000, depending on our assessment of severity as calculated by likelihood and impact. Our minimum reward is $250 USD.
We are particularly interested in the following categories of security bugs. Here are the current minimum payments for each:
- Server-Side Remote Code Execution (e.g. command injection)
- Remote Code Execution on Spectacles
- Significant Authentication Bypass / Logic Flaw
- Unrestricted File System Access
- XSS or XSRF With Significant Security Impact
Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.
Non-qualifying vulnerabilities and exclusions
- Social engineering attempts on our staff including phishing emails
- Attempts to access our offices or data centers
- Vulnerabilities in a vendor we integrate with
- Use of automated tools that could generate significant traffic and possibly impair the functioning of our application
- Reports solely indicating a lack of a possible security defense such as certificate pinning. We constantly make security improvements to our product offering.
- Screenshot detection avoidance. This exclusion may be lifted under reasonable constraints in the future.
- Two-factor authentication bypass that requires physical access to a logged-in device.
- Scan’s mobile and desktop applications are not currently in scope.
- Attacks that require physical access to or modification of the hardware are not in scope
- Vulnerabilities that are already known (e.g. discovered by an internal team)
- Passive mixed content on web pages and website itself
- Open redirect with low security impact. If you can chain with other vulnerabilities (e.g. steal OAuth tokens, SSRF, etc.) we are still interested in hearing about them.
- Generic information disclosure(e.g. Stack trace) without additional impact
- Issues that merely result in spam/annoyance without additional impact (e.g sending emails without sufficient rate limiting)
Additionally, the following reports do not qualify for a reward:
- Lack of email address verification during account registration. We are currently making improvements to our registration flow.
- Local access to user data when operating a rooted mobile device.
- Support for RC4 in SSL/TLS negotiation. For our domains scoped in this rewards program, SSL/TLS is handled by Google AppEngine itself and Google routinely reviews its cipher suite support.
- Tampering with the host header in the request and receiving a redirect to a safe domain. This is handled by Google AppEngine itself; it is not specific to Snatch App and we do not find issues with it
If you’re on a sanctions list, or live in a country that’s on a sanctions list, we cannot give you a reward. Keep in mind that your citizenship and residency may affect whether you owe taxes on any reward you receive, and you alone are responsible for paying those taxes. We, of course, reserve the right to cancel or modify this program at any time. And the ultimate decision over an award – whether to give one and in what amount – is a decision that lies entirely within our discretion.
Finally, and needless to say, please do not violate any laws when conducting your tests.