Banner object (1)

4226 policies in database
  Back Link to program      
savedroid logo
Hall of Fame


100 $ 


What's new

25-02-2020 - All Hackers participating in the program at any point in time must adhere to the rules of the program they accepted while joining.
25-11-2019 - New Domain is added to the scope.
12-11-2019 - FAQ guide attached to the policy page on how to use savedroid apps and services
07-08-2019 - Categorization of the Issues based on severity and priority for savedroid for new Public Bug Bounty Program.


Critical Severity - $2500

Issues that savedroid AG would consider to be critical impact include:

Transfer SVD without Balance
Access to Hot Wallets, personal wallets to store the SVD's and trade the crypto SVD's.
Buy Crypto without paying for it
Get the other user private data
Authentication bypass in apps
Changing critical functionality of a system which may lead to severe system misuse

High Severity - $1500

Issues that savedroid AG would consider to be High impact include:

Cross account access in apps
Stored cross-site scripting (XSS) that can affect other users
Flaws that could be used to exploit 3rd-party integration services
Unauthorized configuration changes to installed Infrastructure agents
Remote code execution (RCE) on savedroid backend services
Ability to write data in misconfigured S3 buckets
Private Key Leakage

Medium Severity - $500

Issues that savedroid AG would consider to be medium impact include:

Insufficient validation of incoming URI handler calls for mobile applications leading to information disclosure
Misconfigurations resulting in information leaks
subdomain takeover

Low Severity - $250

Issues that savedroid AG would consider to be low impact :

Information leaks (e.g. directory listing, first name and last name of a user)
Data leaks from internal systems

savedroid Bug Bounty Program

savedroid AG specializes in AI technology for cryptocurrency savings. savedroid registered as an Account Information Service Provider (AIS) at the German banking authority (BaFin); its data protection is certified by TÜV.

savedroid AG aims to keep its Service safe for everyone, and data security is of the utmost priority.
savedroid AG will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy.

We have included a document that will help you get to know Savedroid a little better with some frequently asked questions.

Response Targets

SaveDroid will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) - 1 business days
  • Time to triage (from report submit) - 1 business days
  • Time to bounty (from triage) - 7 business days

We’ll try to keep you informed about our progress throughout the process.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Testing Exclusion

Please note you are not permitted to access, download or modify data residing in any other Account, or one that is not registered to you.
You are also prohibited from:

  • Executing or attempting to execute any Denial of Service attack.
  • Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.
  • Attempting to social engineer support staff.
  • Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages.
  • Testing in a manner that would degrade the operation of the Service.
  • Testing or otherwise accessing or using the Service from any jurisdiction that is a Prohibited Jurisdiction.
  • Testing third party applications or websites or services that integrate with or link to the Service.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Brute-force, / Rate-limiting, / Velocity throttling, and other denials of service based issues.
  • Clickjacking on pages with no sensitive actions.
  • Content spoofing issues without branding CSS.
  • Cookie flags.
  • Covert Redirects.
  • Issue where the fix only requires a text change.
  • Unauthenticated/logout/login CSRF.
  • Malicious attachments on file uploads or attachments.
  • Missing additional security controls, such as HSTS or CSP headers
  • Mobile issues that require a Rooted or Jailbroken device.
  • Password recovery policies, such as reset link expiration or password complexity
  • Reflected File Download (this may be rewarded in the future, but is currently out of scope)
  • SPF, DKIM, DMARC issues.
  • XSS (or a behavior) where you can only attack yourself
  • XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing
  • Attacks requiring MITM or physical access to a user's device.
  • Missing best practices in SSL/TLS configuration.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep SaveDroid and our users safe!

In Scope

Scope Type Scope Name














Firebounty have crawled on 2019-08-09 the program savedroid on the platform Hackerone.

FireBounty © 2015-2020

Legal notices