Security Bounty Program

The security of our users’ data is a priority. We build our software and infrastructure with this goal in mind. That’s why we decided to welcome help from the outside through our bounty program to put our security to the test!

To take advantage of it, you’ll need to follow a few guidelines:

• Be a good citizen: Do not disturb the service. Follow the ToS. Avoid automated testing.
• Only test with your data. Do not interact with other accounts.
• If you gain access to our system, report it immediately.
• Do not publish any information regarding the vulnerability until we fixed it.
• We only award one bounty per vulnerability. If we receive multiple reports, the first one will receive the reward.

What we're looking for

We're looking for any security exploit. But we'll be extra generous with:

• Tampering data of other users. For example, this could be extracting or modifying someone's leads. Please note only proving an account exists isn't enough.
• Bypassing our API's security: If you're able to go a lot beyond your quota of requests per month or avoid authentication altogether.
• Cross-site scripting (XSS)
• Server-side code execution

Please keep in mind this bounty program doesn’t concern regular bugs in our application, but only security flaws allowing intruders to gain access to data of other users. If you wish to report a regular bug, contact contact@hunter.io.

Examples of Non-Qualifying exploits

• DOS / brute-force attacks
• Mixed-content scripts
• Social engineering
• Theoretical vulnerabilities
• Failures to adhere to "best practices" (for example, common HTTP headers, link expiration, email-validation or password policy)

Theoretical vulnerabilities we're aware of, but we decided they didn't present any risk in our case:

• Non-expiring session cookie: Hunter is protected through the use of HTTPS and our inclusion in the HSTS preload list of major browsers.
• Getting device or location information from a team member.

Rewards

Our reward system is flexible and doesn’t have any strict upper or lower limit. This means particularly creative or severe bugs will be rewarded accordingly. The amount will exclusively depend on the severity of the vulnerability.

Rewards will be sent using Paypal once the vulnerability has been fixed. These services collect a fee for processing the transaction, which gets deducted from the amount awarded.

Report submission

Please submit your report using our dedicated form. We answer all submissions within a few days. Once the patch is online, we’ll pay your bounty using PayPal.

If you have any questions regarding the program, please contact us at security@hunter.io.

Hall of fame

• Anabelle: Undisclosed amount
• Ahmed Adel Abdelfattah: $150
• Chase Miller: $150
• Prince Rawat: $50
• Maheshkumar Darji and Jigar Thakkar: $1400
• Harry M. Gertos: $150
• Aditya Agrawal: $150
• Waqar Vicky: $150
• Researcher asked to remain anonymous: $1150
• Muhammad Shahzaib: $50
• Evan Ricafort: $50
• Researcher asked to remain anonymous: $50
• Djamel Eddine Hakim Ghorab: $50
• Albin Thomas: $50
• Shen Ying: $50
• Abdelfattah Ibrahim: Undisclosed amount
• Abhishek Bundela: $50
• Junaid Mumtaz: $50
• Rodrigo Magalhães: $1050
• Mohammed Israil: Undisclosed amount
• Jasbeer Singh: $400
• Talha Saeed: $250
• Vikas Anil Sharma, Sushilratan Nandlal Ram & Sujeet Bhimrao Bhosale: Undisclosed amount
• Shubham Sohi: $50
• Fahimul Kabir (Secminer's BD): $50
• Sammam Qureshi: $50
• Alp Eren Keskin: $50
• Foysal Ahmed Fahim: $50
• Kitroville Capili: $650
• Nihad Mikaeel Rekany: $50
• Ritik Jangra: $75
• Raman R Mohurle: $25
• testt0: $50
• Barhaam: Undisclosed amount
• Ramdani: $100
• Sainikhil Turewale: $25
• Milan Jain: $50
• Kamalesh: $150
• Axel Flamcourt: $75
• Hasan Khan: $50
• André Neves: $50