The Peerio Bug Bounty encourages peer review and rewards the contributions of security researchers who volunteer their time and effort to help make Peerio as secure as possible.
Peerio will pay up to a $5000 CAD bounty for certain client and service security bugs, as detailed below. All security bugs must follow the following general criteria to be eligible:
In some cases, a bounty may be paid for “moderate” level bugs. All bounties will be awarded at the discretion of Peerio’s Bounty Committee.
If you identified the security bug through paid work, we would appreciate your not applying for the Peerio bug bounty. Peerio’s bug bounty program is designed to encourage those who are volunteering their time and effort and not otherwise paid to work on Peerio.
All bug reports should be e-mailed to firstname.lastname@example.org or sent to “Support” on Peerio. Our security team will review your report and evaluate its eligibility for the bounty reward.
Please include the following in your report:
When investigating a possible vulnerability, please only target accounts you own. Never attempt to access, disrupt, or damage the data of other users. Do not attempt to execute DoS attacks, spam users, or anything else that is detrimental to Peerio’s use and service. Peerio reserves the right to not reward legitimate applications if the actions of the reporter have in some way endangered the security of Peerio and its users.
To qualify for the bounty, your reporting must operate in accordance with our responsible disclosure policy.
You must not publicly disclose the identified security vulnerability before allowing a reasonable amount of time to address the bug. This policy also holds us responsible for fixing serious security vulnerabilities swiftly and disclosing bugs and fixes within a reasonable amount of time.
If your report is approved, we ask that you be available via your preferred contact method to work with the Peerio team to address the bug. Unless you choose to remain anonymous, you will publicly be given credit for your contributions to Peerio.
If your report was not approved for the bounty, you will be contacted explaining why your report did not meet the necessary criteria.
If two or more individuals have collaborated on a legitimate report, the bounty will be dispersed equally to the individuals listed in a report, unless specified otherwise.