Populi Bug Bounty Program

Populi takes security seriously, and welcomes reports of vulnerabilities that could substantially impact the security of our infrastructure or applications. If you believe that you have discovered such a vulnerability, please report it at . Populi’s security team will work with you to investigate, triage, and resolve the issue promptly. Populi will reward the first reporter of a vulnerability with a payment which factors in the impact of the discovered bug, the ease of exploit, and the level of effort required to discover the bug.

If multiple bugs are discovered or reported together, the term “bug” includes all of them collectively, and they can be rewarded collectively as well.

In Scope

We are interested in serious vulnerabilities in our infrastructure, such as:

  • Web application and networking attacks on the main Populi web app
  • Attacks on Populi’s iOS and Android apps
  • Attacks on corporate VPN or development/sandbox resources
  • Attacks on our external/marketing sites

Out of Scope

Here’s a non-exhaustive list of things we would consider out-of-scope:

  • SPF/DMARC records
  • Lack of CSRF tokens unless a working attack in a critical area can be demonstrated in a supported browser
  • Security header configurations/best practices that do not directly lead to a vulnerability
  • Outdated software without any noteworthy vulnerability
  • Absence of rate limiting

Responsible Security Research

We ask that all security researchers abide by these principles:

  • Do not access or modify our data or our users’ data, without explicit permission of the owner; only interact with your own accounts or test accounts for security research purposes
  • Contact us immediately if you do inadvertently encounter user data; do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Populi
  • Share the security issue with us in detail
  • Give us a reasonable time to respond to the issue
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service)
  • Otherwise comply with all applicable laws

Responsible Disclosure Process

When you discover a vulnerability in Populi, you agree to immediately submit a vulnerability report to . At this point, you enter into a cooperative relationship with Populi in which you allow us to patch the bug before disclosing its details to anyone else.

Consequences of Complying with This Policy

Populi will not pursue civil action or initiate a complaint to law enforcement for security research conducted according to this policy, or for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

Bounties

Populi will determine the bounty amount (if any) for every vulnerability report, using internal criteria and analysis (see the principles listed in the Summary above).

Upon approval of a bounty, Populi will provide a Bug Bounty Reward Agreement that lists the particular bounty amount and payment method. After receiving a signed copy of the Bounty Reward Agreement, Populi will pay the bounty within the period specified (usually 14 days).

Due to certan legal and operational restrictions, Populi cannot use certain payment methods. To receive the bounty, you need to be able to receive US dollars in a bank account (but we will attempt to accommodate you if this is not possible).

You are responsible for reporting and paying any taxes associated with the bounty.