Raise.com looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
Raise.com will make a best effort to meet the following Response Times for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
Raise may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $200 USD. The following table outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope).
Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 -
$3,000 | $1,000 | $500 | $200
Please remember that Raise only pays bounties for assets in scope.
Please note, these are general guidelines and that Raise will determine at its discretion whether a reward should be granted and the amount of the reward - in particular, we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.
The following sites and applications are in scope for this program:
Vulnerabilities reported on other Raise properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section).
You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.
If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy. When demonstrating a vulnerability, please do so in an unobtrusive manner to avoid drawing public attention to the vulnerability. Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for bounty.
Please be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report.
We are happy to thank everyone who submits valid reports which help us improve the security of Raise! However, only those that meet the following eligibility requirements may receive a monetary reward:
Researches engaged with Raise.com’s Bug Bounty Program agree to Mutual Disclosure. The Finder and Security Team members are to remain in open communication regarding disclosure timelines. If both parties are in agreement, the contents of the Report can be made public on a mutually agreed timeline.
More details can be found in HackerOne's disclosure guidelines __.
Any design or implementation issue that is reproducible and substantially affects the security of Raise users or data is likely to be in scope for the program. Common examples include:
Depending on their impact, not all reported issues may qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive thanks and recognition.
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Raise users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
Thank you for helping keep Raise.com and our users safe!