Security researchers are invited to investigate vulnerabilities in Glints, so long as their research follows this responsible research and disclosure policy.

If you find an issue involving security, please let us know as soon as possible, and we’ll make every effort to correct the problem quickly if it’s validated. It’s against the Glints policy not to disclose information about a problem outside of the program without the Glints team’s explicit permission.

By ensuring you agree to be bound by these rules by participating in this program:

Rewards

Impact-based rewards are our reward strategy. Thus, for example, we will offer a relatively high reward for a vulnerability that may leak sensitive user data, but very little to no reward for a vulnerability that might allow an attacker to deface a microsite. Our reward meetings have always included one question: If someone uses this in a malicious manner, how bad will it be? We assume the worst and pay out the bug accordingly.

In the event that we receive several reports for the same issue, we award the bounty to the earliest report with sufficient actionable information. We don’t want to encourage people to spam us with vague issues in an effort to be first.

In the event that a single fix fixes multiple vulnerabilities, we treat it as a single vulnerability. As an example, if you find three vulnerabilities in a WordPress plugin we use, and our fix is to remove the plugin, you will receive a single bounty, as always determined by impact.

The payout ranges on this page are guidelines for expressing roughly how we think about the severity of different types of issues. These are not exact rules. Depending on their severity, bugs may have different attributes, which can affect payouts.

Ultimately, all reward amounts are at our discretion, but we strive to be fair. Some researchers will disagree with some of our decisions, but we pay out according to our ethical obligations and trust that most will consider their rewards fair and in many cases generous. The program will be tailored as it continues.

💰 We try our best to cycle bounty payouts on Fridays.

Severity Bounty Examples
Critical 400 - 700 SGD
  • Remote code execution on a production server.
  • Full account takeover of account without interaction.
  • Payment or partner invoice information exposure at scale.
  • Potential access to source code.
  • Vulnerabilities leading to the compromise of an employee account.
  • 2FA bypass. etc.
High 200 - 400 SGD
  • Stored Cross-site Scripting which can cause significant brand damage (e.g. in a homepage).
  • missing authorization checks leading to the exposure of email addresses, date of birth, names, phone numbers, etc.
Medium 100 - 200 SGD
  • Reflected Cross-site Scripting (XSS).
  • Cross-site Request Forgery (CSRF) issues.
  • Access Control issues which do not expose PII but affect other accounts.
  • Account validation bypasses (being able to change profile picture, etc).
  • Any vulnerability which allows the bulk lookup of user UUIDs (e.g. turn an auto-incrementing ID into a UUID, turn an email into a UUID). etc.
Low 50 - 100 SGD
  • Exposed logs without sensitive information.
  • Exposed API keys with low privileges, etc.
Trivial No Rewards
  • Duplicate.
  • N.A
  • Informational bug(s)

Scope

Out-of-Scope Vulnerabilities

In this section, you will find issues that will not be accepted under this program due to their malicious nature or low security impact and will be immediately marked as invalid.

There are certain findings that are explicitly excluded from the bounty program:

Fraud issues

If you wish to report fraud, please email [email protected]. Despite the importance of these types of issues, our current rewards program cannot support this type of issue. The bug bounty program does not currently consider these to be a part of its scope unless they show a specific technical vulnerability in our software. Verifying phone numbers, credit cards, etc., is fraud-related and not covered by the bug bounty program.

Report Eligibility

Glints reserves the right to determine whether the minimum severity threshold is met and whether it has previously been reported.

Known issues

Please be aware that the Glints Security Team actively searches for vulnerabilities across all assets internally. If the reported issue is already familiar to us, we will close it as a duplicate.

Once we have made our final decision, we ask for your kind cooperation in respecting that decision and refraining from multiple negotiations.

Acquisitions

Newly acquired sites are subject to a 12-month blackout period. Early reports of bugs are certainly appreciated, but will not be rewarded.

Recently disclosed 0-day vulnerabilities

Just like everyone else, we need time to patch our systems - please give us two months before reporting these types of issues. We will appreciate anyone alerting us to new CVEs, but these reports will not qualify for a reward.

Vulnerabilities found in third-party/vendors

Glints' bounty program does not cover vulnerabilities affecting assets outside its scope. We will work with the vendor or third party on a best-effort basis to resolve any vulnerability that directly affects Glints if it is found. In rare, exceptional cases, we may decide to reward. However, the decision to reward will remain at our discretion.

Frequently Asked Questions