Skip to main content
Bug Bounty Program

Submit qualified bugs or vulnerabilities per the program guidelines to receive a reward.

Gui Rego avatar
Written by Gui Rego
Updated over 2 months ago

The Maintainly Bug Bounty Program is open to ethical hackers.

Legitimate reports

Bug bounties are paid at the absolute discretion of Maintainly.

You may qualify for a bug bounty if:

1. The bug report is original and no other person has submitted the same report/issue;

2. The bug report is not a known issue to us;

3. It is a legitimate bug or vulnerability. Sometimes, policy decisions are made based on, for example, the type of data or other practical implications. Reports that have already been considered and overridden by a policy decision do not qualify.

4. You have submitted legitimate, fully tested and documented detail that includes a video that confirms that you performed the required testing and clearly shows a vulnerability (nb. we do not accept 'generic' off-the-shelf reports)

For clarity, bug bounties are not paid when:

1. You do not meet to minimum report requirements outlined here;

2. Another other person has submitted the same report/issue prior to you;

3. The issue is already known to us (eg. relates to JavaScript libraries that are not up to date, relates to character length of a particular field, etc.);

4. An internal policy decision relating to functionality overrides things that you might otherwise consider to be a vulnerability;

Disqualification

We will only work with genuine, methodical and courteous individuals that submit potential vulnerabilities. You will be disqualified from the Bug Bounty Program and we will not accept any future submissions if you do any of the following:

  1. Attempt to extort Maintainly regarding a vulnerability;

  2. Make threats to post vulnerabilities online;

  3. Send us excessive or repetitive emails or messages;

  4. Use abusive language.

Reward Assessment

The amount of any reward is determined by Maintainly at its absolute discretion. The amount will vary based on:

1. The overall severity of the issue;

2. The type and sensitivity of data that could potentially be at risk.

When you submit

Maintainly has a defined process to assess and rectify genuine software bugs. After you submit a bug report, it might take some time for that process to play out.

Please submit one single bug report per chat session or email, to enable accurate tracking of each report.

Each report will undergo the following process:

  1. We will verify that you have provided enough details about the report, including video evidence that you have in fact tested the bug. If the report appears to be a generic cut-and-paste report template that has not been fully tested, then the report will be rejected immediately;

  2. An internal support issue will be raised for assessment of the report, whereupon it will be assessed by the development team for validity. We may come back with questions for you at this stage if anything is not clear;

  3. If a legitimate issue has been identified, a fix will be put in place and then released to production. WE WILL NOT CONFIRM THE VALIDITY OF THE REPORT BEFORE THIS STAGE;

  4. If the report meets all of the criteria of the bug bounty program, an appropriate reward will be determined, at our discretion;

  5. Only after all of this will you be contacted.

  6. If there is a reward to be made, you will be requested for a PayPal account to which the reward can be made.

You will not receive a response from Maintainly until AFTER the issue has been fully assessed and if deemed appropriate by Maintainly, a fix put into place (unless any questions are raised before this). This process may take up to 6 - 8 weeks, depending on the severity of the issue. Until you receive a response, there is no need to contact us. WE WILL CONTACT YOU IN DUE COURSE.

If you have not received a response from us AFTER 6 WEEKS, then you may contact us to check the status.

Please turn off any automated follow-up emails you have enabled - these automated follow-up emails WILL DELAY THE PROCESS.

If you start a new chat session related to a bug report, this WILL DELAY THE PROCESS.

Did this answer your question?