Vulnerability Rewards Program

Security is in our DNA

At ThreatKey, we believe in the importance of security and are committed to protecting our clients' data. As part of our ongoing commitment to security, we are pleased to announce our vulnerability rewards program.

Through this program, we are offering financial rewards to individuals who are able to identify and responsibly disclose security vulnerabilities in our SaaS platform. By participating in this program, you can help us maintain the highest levels of security for our clients and be recognized for your contribution.

To be eligible for a reward, you must be the first person to report a unique and previously unknown vulnerability to us. The severity of the reward will be determined based on the potential impact of the vulnerability and the quality of the report.

To submit a vulnerability report, please email us at security@threatkey.com with a detailed description of the issue, including steps to reproduce it if possible. Please do not attempt to exploit the vulnerability or disclose it to any third parties.

We are grateful to the security community for helping us keep our platform secure and look forward to working with you through this program. Thank you for your support!

Testing is only authorized on the targets listed as In-Scope

  • app.threatkey.com
  • www.threatkey.com
  • api.threatkey.com

Any domain/property of ThreatKey not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Vulnerabilities not eligible for a reward:

  • Social engineering attempts on our staff, including phishing emails
  • Attempts to access our offices or data centers
  • Vulnerabilities in vendors we integrate with
  • Use of automated tools that generate significant traffic and impair our application's functionality
  • Reports solely indicating a lack of a possible security defense, such as certificate pinning
  • Two-factor authentication bypass that requires physical access to a logged-in device.
  • Attacks that require physical access to or modification of the software are not in scope
  • The mostly static support website hosted on https://docs.threatkey.com/ is not in scope.
  • Vulnerabilities that are already known (e.g. discovered by an internal team)
  • Passive mixed content on web pages
  • Open redirect with low security impact. If you can chain with other vulnerabilities (e.g. steal OAuth tokens, SSRF, etc.) we are still interested in hearing about them.
  • Generic information disclosure(e.g. Stack trace) without additional impact
  • Issues that merely result in spam/annoyance without additional impact (e.g sending emails without sufficient rate limiting)
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

Additionally, the following reports do not qualify for a reward:

  • Lack of email address verification during account registration. We are continually making improvements to our registration flow.