Vulnerability Disclosure & Bug Bounty Policy
Get BOB values the security of our platform and appreciates the efforts of security researchers who help us identify and responsibly disclose vulnerabilities.
This policy explains how to report security issues, how we handle vulnerability reports, and what researchers can expect from our program.
1. Our Program
Get BOB operates a responsible vulnerability disclosure program, not a guaranteed paid bug bounty program.
We welcome reports of legitimate security vulnerabilities that could affect the confidentiality, integrity, or availability of our systems or customer data.
By submitting a vulnerability report, you acknowledge that participation in this program is voluntary and subject to the terms of this policy.
2. Rewards
We may, at our sole discretion, choose to recognize or reward researchers for exceptional vulnerability reports.
However:
- We do not guarantee monetary compensation.
- We do not negotiate bounty amounts after receiving unsolicited reports.
- Submission of a report does not create any obligation for Get BOB to provide payment, employment, consulting opportunities, public recognition, or any other compensation.
- Any reward offered is entirely voluntary and determined solely by Get BOB.
Researchers who require guaranteed compensation should obtain written authorization from Get BOB before conducting security testing.
3. Typical Recognition
The following ranges are provided solely to help set expectations and are not guaranteed.
| Severity | Typical Recognition* |
| Informational | No reward |
| Low | No reward |
| Medium | Up to $50 USD |
| High | Up to $100 USD |
| Critical | Up to $250 USD |
*Illustrative only. Rewards are entirely discretionary and depend on the demonstrated impact of the vulnerability, the quality and originality of the report, whether the issue was previously known, and our available program budget.
4. Payment Method
If Get BOB elects to provide a monetary reward, payment will be made only by one of the following methods:
- International bank wire transfer
- Revolut transfer
We do not provide rewards through PayPal, Venmo, Cash App, Wise, cryptocurrency, gift cards, prepaid cards, or any other payment method.
Researchers are responsible for providing accurate payment details and for any taxes, fees, or charges associated with receiving a reward.
Get BOB may require reasonable identity verification and documentation before issuing any payment, including where required to comply with applicable laws, regulations, or financial institution requirements.
5. First Report Wins
Rewards and recognition are generally offered only once for each unique underlying vulnerability.- Eligibility is determined on a first come, first served basis.
- The first sufficiently detailed report that allows us to reproduce and validate the issue will generally be considered the qualifying submission.
- Duplicate reports, including reports of vulnerabilities we are already aware of or actively addressing, are generally not eligible for rewards.
- Multiple reports describing the same underlying issue are treated as a single finding for reward purposes.
6. What To Report?
We are interested in vulnerabilities that could have a meaningful security impact, including:
- Authentication or authorization bypass
- Privilege escalation
- Remote code execution
- SQL injection or command injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Sensitive data exposure
- Significant business logic flaws
- Other vulnerabilities with a demonstrable impact on the security of our platform or customer data
7. Out Of Scope
The following issues generally do not qualify for rewards and may not receive an individual response:
- Missing or recommended HTTP security headers
- Clickjacking without a demonstrated exploit
- Missing SPF, DKIM, or DMARC records
- SSL/TLS configuration recommendations without exploitable impact
- Version disclosure or banner grabbing
- Rate-limiting suggestions without demonstrated abuse
- Information disclosed through publicly available sources
- Best-practice recommendations
- Self-XSS
- Reports requiring unrealistic user interaction
- Social engineering
- Physical security issues
- Denial-of-service or resource exhaustion testing
- Third-party vulnerabilities outside Get BOB’s control
- Issues already known to Get BOB
- Duplicate reports
8. Rules Of Engagement
When testing our systems, you agree to:
- Act in good faith.
- Avoid accessing, modifying, deleting, or retaining customer data.
- Avoid disrupting our services or degrading their availability.
- Stop testing once sufficient evidence has been obtained.
- Report vulnerabilities promptly.
- Keep vulnerability details confidential until Get BOB has had a reasonable opportunity to remediate the issue.
- Comply with all applicable laws and regulations.
9. Safe Harbor
If you conduct security research in good faith and in accordance with this policy, Get BOB will not pursue legal action against you solely for activities that comply with this policy.
This safe harbor applies only to activities that comply with this policy and applicable law.
10. Response Process
While response times vary, we generally aim to:
- Acknowledge receipt of reports within several business days.
- Validate legitimate vulnerabilities.
- Prioritize remediation based on risk and impact.
- Provide updates when practical.
11. Public Disclosure
Please do not publicly disclose vulnerability details until Get BOB has confirmed that the issue has been remediated or we have mutually agreed upon a disclosure timeline.
12. Contact
Security reports should be submitted to:
Please include:
- A clear description of the vulnerability
- Steps to reproduce
- The affected URL, endpoint, or feature
- An assessment of the potential impact
- Proof of concept or supporting evidence, where applicable
This document was last updated on June 29, 2026