Bug Bounty Program

&frankly believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly and provide rewards for vulnerabilities found in our application.

Important note: As of February 2022 we have temporarily paused our Bug Bounty Program due to receiving too many low quality/invalid submissions. We hope to restore our program in the near future.

Disclosure policy

We ask you to abide by the following &frankly disclosure guidelines:

Unless &frankly gives you permission, do not disclose any issues to the public, or to any third party.
Unless &frankly gives you permission, do not disclose any report submitted in relation to a &frankly program.
If you have questions on timelines (to remediation, to bounty, etc.), please ask directly in the relevant report.

Rules of engagement

We are interested in hearing about security issues on all &frankly properties, including our apps and web services.

To be eligible for a reward, note that we typically require the issue report to have some actual and severe security impact in a realistic scenario. This does not mean you need to fully exploit issues, just provide the information you have, and we will analyze your report and draw conclusions on the impact.

What not to do:

When experimenting, please only attack test accounts you control or have been given to us. A PoC unnecessarily involving accounts of other end users or &frankly employee may be disqualified.
Do not run automated scans without checking with us first.
Do not test the physical security of our or our infrastructure providers' offices, employees, equipment, etc.
Do not test using social engineering techniques (phishing, vishing, etc.)
Do not perform DoS or DDoS attacks, or other attacks that may compromise the stability of our service
Do in no way attack our end users or engage in trade of stolen user credentials.
Do not attempt to generate emails and/or spam other users through our service
Make sure to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Thank you for helping keep &frankly and our users safe!

Scope items

Type	Identifier	Severity	Scope/Bounty
Application	https://app.andfrankly.com (and related API subdomains)	Critical	Yes
Marketing web	https://www.andfrankly.com	Medium	Only for Critical vulnerabilities
Android: Play Store	com.andfrankly.app	Critical	Yes
iOS: App Store	911773424	Critical	Yes

Bounty rewards

We only provide rewards for, to us, unknown vulnerabilities that can be proven exploitable and at the sole discretion of &frankly to assess vulnerability level based on proof.

Vulnerability	Description	Bounty
Critical	Verified SQL injection, very severe XSS or similar. Risk of complete data loss or destruction.	$250-500 (or more depending on issue)
High	Severe XSS or possibility to circumvent core/critical access control mechanism. Risk of large data loss or destruction, and or highly privileged access	$100-250
Medium	Possibility to circumvent non-critical access control mechanism. Low risk of data loss / no possibility of data destruction nor access to sensitive information.	No bounty
Low	E.g. disclosure of operating system or system component version, minor bugs/vulnerabilities that risk no personal data and/or only provides limited/non-sensitive access to functionality, requires social engineering or other non-technical means to exploit fully.	No bounty

Bounty contact

Please send the details of any vulnerability findings to tech@andfrankly.com and we will assist in validating your finding and confirm if it is eligible for a reward.

We answer all bug bounty requests and try to do so as fast as possible, but a confirmation that your bug has been received and/or an update on your case may take more than 2-3 weeks worst case. Please do not repeatedly request an update for your case, especially if you have already received a confirmation and/or just submitted it. We reserve the right to deny a reward for any bugs reported where we have received repeated request for updates and/or requests for updates too close to submission.