Vulnerability Disclosure and Reward Program

The current bounty funds are exhausted, so we are temporarily closing the reward program. We will resume it on April 1st. Thank you!

At Punchzee, security is our top priority. We appreciate the efforts of security researchers and ethical hackers who help us identify and mitigate potential security vulnerabilities. To encourage responsible disclosure, we have established a Vulnerability Disclosure and Reward Program.

Responsible Disclosure Policy

If you discover a security vulnerability on our website or app, we encourage you to report it to us in a responsible manner. Please follow these guidelines:

  • Report the vulnerability promptly to our security team at security@punchzee.com.
  • Provide detailed and actionable information about the issue, including clear steps to reproduce it.
  • Proof of Concept (PoC) is required for all valid submissions.
  • Do not publicly disclose the vulnerability before we have addressed it.
  • Do not exploit the vulnerability beyond what is necessary for validation.
  • Conduct testing strictly for security research within the scope of this program and without causing harm or disruption to our services.
  • Only report realistic, actionable vulnerabilities that can be exploited in real-world conditions. Generic or speculative claims (e.g., "an attacker could potentially exploit this...") without a concrete attack vector and proof will not be considered.

We are committed to reviewing and addressing reported vulnerabilities as quickly as possible. We will acknowledge your report within 48 hours and provide updates on our investigation and remediation timeline.

Reward Criteria

The current bounty funds are exhausted, so we are temporarily closing the reward program. We will resume it on April 1st. Thank you!

We offer rewards for valid security vulnerabilities based on their severity. Our reward amounts are determined using the Common Vulnerability Scoring System (CVSS) to ensure fairness and transparency:

  • 9.0 - 10.0 (Critical): $200 - $500
  • 7.0 - 8.9 (High): $50 - $200
  • 4.0 - 6.9 (Medium): $10 - $50
  • 0.1 - 3.9 (Low): Public Recognition

Note: The final reward amount is at Punchzee's discretion and depends on factors such as impact, exploitability, and report quality.

As we are still an early-stage company, our rewards are currently limited, but we may offer higher discretionary rewards for particularly valuable or critical reports.

Duplicate Reports

If a vulnerability has already been reported by another researcher, we follow a first-to-report policy. Only the first valid submission will be eligible for a reward. However, if multiple researchers provide significant additional insights or exploitation techniques that enhance our understanding of the issue, we may consider partial rewards at our discretion.

Exclusions

The following are not eligible for rewards:

  • Issues related to outdated browsers or plugins.
  • Self-XSS, social engineering, or attacks relying on user errors (e.g., phishing).
  • Denial of Service (DoS) attacks.
  • Reports on third-party services unless they directly impact Punchzee users.
  • SPF, DKIM, or DMARC misconfigurations with no demonstrable impact.
  • Attacks that require MITM scenarios, phishing, or similar external factors.

Changes to This Program

Punchzee reserves the right to modify or terminate this Vulnerability Disclosure and Reward Program at any time, without prior notice. Any changes will be updated on this page, and continued participation in the program constitutes acceptance of the updated terms.

How to Submit a Report

The current bounty funds are exhausted, so we are temporarily closing the reward program. We will resume it on April 1st. Thank you!

To submit a vulnerability report, email us at security@punchzee.com with the subject line "Security Vulnerability Report." Please include:

  • A detailed description of the vulnerability.
  • Steps to reproduce the issue.
  • Screenshots or proof-of-concept (if applicable).

We appreciate the efforts of security researchers in helping us maintain a safe and secure platform. Thank you for your contributions to Punchzee’s security!