Bug Bounty

What is the scope of the bug bounty program?

The Satrion.com websites my.satrion.com, www.satrion.com, api.satrion.com are all within scope. The accepted categories include injection attacks, authentication or authorization flaws, cross-site scripting, sensitive data exposure, privilege escalation, and other security issues.

What issues are out of scope?

Satrion.com customer instances are not in scope. Many instances have default hostnames or reverse DNS ending in "satrion.com", presence of that does not imply that an IP is in scope. If you have any questions about whether or not something is in scope, please contact us before you take any action.

Customer Instances

Satrion.com customer instances are not in scope. Many instances have default hostnames or reverse DNS ending in "satrion.com", presence of that does not imply that an IP is in scope. If you have any questions about whether or not something is in scope, please contact us before you take any action.

DDoS Attacks

Any sort of DoS/DDoS attacks are strictly forbidden.

Automated Scan Reports

These are generally very noisy and have a very high false positive rate and are not in scope.

Compromised Customers

Bugs requiring the user to be compromised or to have malicious browser extensions are not in scope.

Operating Systems

Vulnerabilities in the operating systems we provide are not in scope unless the issue is directly caused by modifications we have made to it.

Deprecated Browsers

Exploits that require the end user to run an outdated or legacy web browser are not in scope.

Support Tickets

Please do not submit large volume of support tickets or replies. This can cause delays for other customers with actual problems.

Email changes for unverified accounts

We allow email addresses to be changed with no verification before a user has funded their account or verified their email. Protections around funded or verified accounts are significantly stronger.

Missing security headers

Reports indicating missing headers (Content-Security-Policy and similar), or DMARC policy suggestions are not in scope.