Raise.com looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
Raise.com will make a best effort to meet the following SLAs for hackers participating in our program:
* Time to first response (from report submit) - 5 business days
* Time to triage (from report submit) - 10 business days
* Time to bounty (from triage) - 10 business days
We’ll try to keep you informed about our progress throughout the process.
Raise may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The following table outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope).
| Critical (9.0 - 10.0) | High (7.0 - 8.9) | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |
| $2,000 | $750 | $300 | $100 |
Please note, these are general guidelines and that Raise will determine at its discretion whether a reward should be granted and the amount of the reward - in particular we may choose to pay higher rewards for unusually clever or severe vulnerabilities or lower rewards for vulnerabilities that require significant or unusual user interaction. This is not a contest or competition. Rewards may be provided on an ongoing basis so long as this program is active.
The following sites and applications are in scope for this program:
Vulnerabilities reported on other Raise properties or applications are currently not eligible for monetary rewards (as they come into scope, they will be added to this section).
Reporting Possible Vulnerabilities
You must report a qualifying vulnerability through the HackerOne reporting tool to be eligible for a monetary reward.
If you are researching security issues, especially those which may compromise the privacy of others, please use test accounts in order to respect our users’ privacy. When demonstrating a vulnerability, please do so in an unobtrusive manner to avoid drawing public attention to the vulnerability. Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for bounty.
Please be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report.
* What type of issue are you reporting?
* How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
* What is the impact of your issue?
* What are some scenarios where an attacker would be able to leverage this vulnerability?
* What would be your suggested fix?
Eligibility and Responsible Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security of Raise! However, only those that meet the following eligibility requirements may receive a monetary reward:
* You must be the first reporter of a vulnerability.
* The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).
* We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list).
* You may not publicly disclose the vulnerability prior to our resolution.
Researches engaged with Raise.com’s Bug Bounty Program agree to Mutual Disclosure. The Finder and Security Team members are to remain in open communication regarding disclosure timelines. If both parties are in agreement, the contents of the Report can be made public on a mutually agreed timeline.
More details can be found in HackerOne's disclosure guidelines (https://www.hackerone.com/disclosure-guidelines).
Any design or implementation issue that is reproducible and substantially affects the security of Raise users or data is likely to be in scope for the program. Common examples include:
* Anything that leaks personal user data; e.g. emails, passwords, gift card numbers
* Cross Site Scripting (XSS)
* Cross Site Request Forgery (CSRF)
* Remote Code Execution (RCE)
Depending on their impact, not all reported issues may qualify for a monetary reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive thanks and recognition.
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Raise users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
* Attacks requiring physical access to a user's device
* Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
* Logout CSRF
* Password and account recovery policies, such as reset link expiration or password complexity
* Invalid or missing SPF (Sender Policy Framework) records
* Content spoofing / text injection
* Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
* Social engineering of Raise staff or contractors
* Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
* Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).
* Disclosure of software version numbers
* Unvalidated vulnerabilities reported by automated tools/scanners.
* Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure.
* Host header injection without a specific proof of concept.
* Self XSS or XSS that affects only out-of-date browsers.
* Denial of Service Attacks.
Thank you for helping keep Raise.com and our users safe!
Hall of Fame