Bug Bounty Program Policy
Objective
The Bug Bounty Program at Audit My Payroll aims to encourage responsible security research in our customer-facing systems, including our website and applications. We appreciate the valuable contributions of security researchers and believe that a responsible disclosure policy enhances the security of our platforms.
Scope of the Program
- Eligible Systems: All publicly accessible Audit My Payroll applications, APIs, and our official website.
- Ineligible Systems: Internal applications, third-party integrations, and systems acquired within the last six months.
Eligible Bug Types
- Security Vulnerabilities: Such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), authentication issues, and remote code execution.
- Data Exposure: Unauthorized access to or exposure of sensitive data.
Rewards
- Critical: AUD $1,500 – $3,000 for vulnerabilities like remote code execution or full database access.
- High Severity: AUD $700 – $1,500 for significant risks like SQL injection or substantial authentication bypass.
- Medium Severity: AUD $300 – $700 for vulnerabilities like cross-site scripting or moderate data exposure.
- Low Severity: AUD $100 – $300 for less impactful issues such as minor information leaks.
Reporting Process
- How to Report: Please report vulnerabilities by sending a detailed email to bugbounty@auditmypayroll.com.au.
- Report Content: Include detailed steps to reproduce the issue, affected systems, and any other relevant information.
- Acknowledgment: We will acknowledge receipt of your report within 5 business days.
- Verification and Updates: Our security team will evaluate the submission and provide regular updates on the resolution process.
Legal and Ethical Guidelines
- Safe Harbour: Participants who adhere to this policy are assured of our cooperation and protection from legal action related to their findings.
- Confidentiality: We expect researchers to maintain the confidentiality of their findings until a fix is deployed.
