We pay for all newfound vulnerabilities.
Vulnerabilities will be ranked from category 5 (£1000) to category 1 (£100), depending on their severity. The Bumble jury determines the severity of the vulnerability.
In scope :
Out of scope :
We don’t want to tie our categories to traditional systems of vulnerability assessment. The more damage a found vulnerability can cause, the more valuable it is to us and the higher the category we assign to it.
And another one important note: we'll respect your karma 'til you respect our time and work: do not send reports without precise and clear PoC; do not create several reports about one vulnerability on a different domains or different mobile platform (if it's not domain-dependant vulnerability or platform-dependent bug of course); do not send generic reports that were copied from other disclosed reports without any check that these reports at least suitable for our services and apps. In other words: be kind!
To make it easier, we’ll give you a number of examples and tell you which category they would be assigned to:
In our experience, most vulnerabilities are classified as HTML-injection or XSS. If the found vulnerability can generally not cause any damage (for example, you can only change the output of the page), then it will get the lowest category (1).
More dangerous: SQL-injection. Let's say you've found a vulnerability that "breaks" an SQL-query, but the only result is an incorrect display of content on the site. Such vulnerability will receive a rewardin the 2nd category. However, if using SQL-vulnerability an attacker can gain access to the data of one or more users, this vulnerability would rise up to the 5th category.
If a vulnerability can update data in the user profile, depending on how critical the data, we may assign a higher category, up to the 5th.
We can also award a super-reward above £1000, if you find something very serious.
We're more than happy to publicly disclose your interesting issue once it has been fixed and agreed with us to do so. Public disclosure without our permission can lead to immediate forfeiture of any reward.
This program have been found on Hackerone on 2017-06-08.