We are committed to building and serving a secure and stable product, and welcome security researchers from the community to participate in our bug bounty program. On this page you will find all the information needed to disclose with us, and what you can expect from us as well as our expectations of you and your report.
Please submit your full report to: disclosure@ipaper.io with as much information as possible based on the guidelines specified below.
We offer rewards depending on the severity of the bug found as well as the completeness of the report. The severity is determined solely at the discretion of iPaper after we have reviewed your report.
We generally do not offer rewards for things that are “best practice” only.This also means that we will not issue rewards for using automated vulnerability scanners to detect common things, and we require a proof of attack written in detail as specified below.
We offer payment through PayPal and Wire transfers.If either of these are not an option for you, please reach out to us beforehand.
We track all issues disclosed with us, and will not be able to reward for duplicate issues that are submitted to us.
Reports are expected to be thorough and contain enough information that the iPaper team can easily duplicate any findings. If specially crafted files are used, they should be submitted as attachments. Screenshots and videos are encouraged but should be accompanied by descriptions and explanations. Submissions should not consist solely of a video or screenshots.
Reports are welcome for issues that cannot be proven but still suggest a serious impact. We trust reporters to make that determination and will assist in clarifying impact and adjusting the severity as needed. It is better to report a vulnerability early while we help determine the impact rather than waiting days or weeks to create proof.
To be eligible to participate in iPaper’s bug bounty program, we ask that all researchers act in good faith, which means:
Failure to follow these rules will result in your reports being ineligible for bounty rewards.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
We reserve the right to modify or terminate this program at any time.
Happy</hacking>