Populi takes security seriously, and welcomes reports of vulnerabilities that could substantially impact the security of our infrastructure or applications. If you believe that you have discovered such a vulnerability, please report it at . Populi’s security team will work with you to investigate, triage, and resolve the issue promptly. Populi will reward the first reporter of a vulnerability with a payment which factors in the impact of the discovered bug, the ease of exploit, and the level of effort required to discover the bug.
If multiple bugs are discovered or reported together, the term “bug” includes all of them collectively, and they can be rewarded collectively as well.
We are interested in serious vulnerabilities in our infrastructure, such as:
Here’s a non-exhaustive list of things we would consider out-of-scope:
We ask that all security researchers abide by these principles:
When you discover a vulnerability in Populi, you agree to immediately submit a vulnerability report to . At this point, you enter into a cooperative relationship with Populi in which you allow us to patch the bug before disclosing its details to anyone else.
Populi will not pursue civil action or initiate a complaint to law enforcement for security research conducted according to this policy, or for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Acceptable Use Policy, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.
Populi will determine the bounty amount (if any) for every vulnerability report, using internal criteria and analysis (see the principles listed in the Summary above).
Upon approval of a bounty, Populi will provide a Bug Bounty Reward Agreement that lists the particular bounty amount and payment method. After receiving a signed copy of the Bounty Reward Agreement, Populi will pay the bounty within the period specified (usually 14 days).
Due to certan legal and operational restrictions, Populi cannot use certain payment methods. To receive the bounty, you need to be able to receive US dollars in a bank account (but we will attempt to accommodate you if this is not possible).
You are responsible for reporting and paying any taxes associated with the bounty.