Does Radar have a bug bounty or responsible disclosure program?

If you believe you have discovered a bug in Radar's security, please contact us at security@radar.io. We request that you do not publicly disclose the issue.

We operate a reward program for responsibly disclosed vulnerabilities. A reward between $100 and maximum $500 USD may be provided for the disclosure of qualifying bugs, depending on severity. We aim to process submissions within 90 days. Radar rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our clients' or our clients' end users' data.

As with most security reward programs, we ask that you use common sense when looking for security bugs. Vulnerabilities must be disclosed to us privately with reasonable time to respond, and avoid compromise of other clients' or end users' data. We do not reward denial of service, spam, or social engineering vulnerabilities. Although Radar itself and all services offered by Radar are eligible, vulnerabilities in third-party applications that use Radar are not.

As with most security reward programs, there are some restrictions:

  • We will only reward the first person to responsibly disclose a bug to us. We will review duplicate bugs to see if they provide additional information, but otherwise issues reported only reward the first reporter.
  • Automated testing is not permitted.
  • Any bugs that are publicly disclosed will not be rewarded.
  • Whether to reward the disclosure of a bug and the amount of the reward is entirely at our discretion, and we may cancel the program at any time.
  • Your testing must not violate any laws.
  • We cannot provide you a reward if it would be illegal for us to do so.

Excluded Submissions

The following bugs are not eligible for a bounty:

  • Scanner output or scanner-generated reports or video submissions
  • Parameter Pollution without side effects
  • Issues found through automated testing
  • Publicly-released bugs in internet software within 15 days of their disclosure
  • "Advisory" or "Informational" reports that do not include any radar-specific testing or context
  • Denial of Service attacks and rate limit abuse
  • Spam or Social Engineering techniques, including SPF, DMARC and DKIM issues
  • Content Spoofing
  • Version number information disclosure
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Reports related to the following security-related headers:
    • Strict Transport Security (HSTS)
    • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
    • X-Content-Type-Options
    • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)

Did this help answer your question?

thumbs up
thumbs down

Thanks for the feedback! 🙏🏽