Expanding Our Bug Bounty Program

Security is a team effort, and we believe the security research community plays a vital role in keeping our platform and users safe. Today, we're thrilled to announce major enhancements to our bug bounty program, including significantly increased rewards, expanded scope, and improved processes that prioritize researcher experience.

Why Bug Bounties Matter

In 2025, the security landscape has never been more complex. According to recent industry data, companies distributing millions in bug bounty rewards have identified and resolved thousands of potential vulnerabilities before they could be exploited. The most successful programs understand that security researchers are partners, not adversaries, in the mission to build secure software.

Our bug bounty program has been running since 2023, but we've learned that simply having a program isn't enough. We need to create an environment where the world's best security researchers want to focus their attention on our platform. That requires competitive rewards, clear communication, and a commitment to treating researchers with the respect they deserve.

Dramatically Increased Rewards

We're more than doubling our maximum payouts to reflect the true value that security researchers provide. Our new reward structure recognizes both the severity of vulnerabilities and the quality of submissions:

New Reward Tiers

Critical Vulnerabilities: Up to $100,000

• Remote code execution on core infrastructure
• Authentication bypass affecting all users
• Data breach exposing sensitive user information
• Full account takeover vulnerabilities

High Severity: $25,000 - $50,000

• SQL injection in production systems
• Cross-site scripting (XSS) with significant impact
• Privilege escalation vulnerabilities
• Server-side request forgery (SSRF)

Medium Severity: $5,000 - $15,000

• Information disclosure of non-sensitive data
• Cross-site request forgery (CSRF)
• Security misconfigurations with demonstrated impact
• Denial of service vulnerabilities

Low Severity: $500 - $2,500

• Minor information leakage
• Best practice violations with security implications
• Low-impact vulnerabilities requiring significant user interaction

Bonus Multipliers

Following industry best practices, we're introducing bonus multipliers for exceptional submissions:

• Quality Bonus (up to 50%): Clear, detailed reports with proof-of-concept code and comprehensive remediation guidance
• First Discovery Bonus (25%): Being the first to report a specific vulnerability class
• Exploit Chain Bonus (up to 100%): Demonstrating full exploit chains that achieve real-world impact
• AI Security Bonus (50%): Vulnerabilities specific to our AI systems, including prompt injection and model manipulation

These multipliers can stack, meaning a critical vulnerability reported with exceptional detail could reach $200,000 in total rewards.

Significantly Expanded Scope

We're opening up more of our infrastructure to security research, recognizing that comprehensive coverage makes us all safer.

Now In Scope

Core Platform Infrastructure

• All production web applications and APIs
• Mobile applications (iOS and Android)
• Authentication and authorization systems
• Database infrastructure and data storage
• Internal admin panels and tools

AI and Machine Learning Systems

• AI model endpoints and inference systems
• Training data pipelines and storage
• Prompt injection and model manipulation
• AI-assisted content generation systems
• Machine learning model security

Cloud Infrastructure

• AWS, Google Cloud, and Azure deployments
• Kubernetes clusters and container security
• CDN and edge computing infrastructure
• CI/CD pipelines and deployment systems

Third-Party Integrations

• OAuth implementations
• SSO and SAML integrations
• Webhook delivery systems
• API integrations with partner services

Explicitly Out of Scope

To help researchers focus their efforts effectively, we've clearly defined what's outside our program:

• Social engineering attacks against our employees
• Physical security of our offices
• Denial of service attacks (unless you can demonstrate them safely)
• Spam or content manipulation
• Issues in third-party services we don't control
• Vulnerabilities requiring jailbroken or rooted devices

Industry-Leading Response Times

Speed matters in security. We've committed to industry-leading response times based on feedback that researchers value quick, human responses:

Our Response SLA

• Initial Triage: 24 hours - A human security engineer reviews your submission within one business day
• Validation: 5 business days - We confirm whether the issue is valid and in scope
• Severity Assessment: 7 business days - Final severity rating and reward amount determined
• Payment Processing: 14 business days - Rewards paid after vulnerability is confirmed fixed

These timelines represent our maximum response windows. In practice, our average time-to-triage is under 12 hours, and we often validate critical submissions within 48 hours.

Transparent Communication

Every submission receives detailed, human-written feedback. Even if we determine a submission is out of scope or not a security issue, we explain our reasoning and provide guidance for future research.

We track three key metrics publicly on our program dashboard:

• Time-to-Triage: How quickly we provide initial feedback
• Time-to-Validate: How long it takes to confirm vulnerabilities
• Time-to-Fix: Our average remediation time by severity level

Public Recognition and Hall of Fame

Security researchers deserve recognition for their contributions. We've created multiple ways to celebrate their work:

Annual Security Researcher Awards

Each year, we recognize outstanding contributors with special awards:

• Top Researcher Award: $10,000 bonus for the researcher with the most impactful findings
• Rising Star Award: $5,000 for exceptional work by a new researcher
• Innovation Award: $5,000 for creative vulnerability discovery techniques
• Community Champion Award: Recognition for helping other researchers

Public Hall of Fame

With researcher permission, we maintain a public hall of fame listing:

• Total vulnerabilities discovered
• Total earnings from our program
• Specific high-impact vulnerabilities discovered (after remediation)
• Researcher profile and social media links

Researchers can choose to be listed anonymously or use handles if they prefer.

Conference Speaking Opportunities

We actively support researchers presenting their findings at security conferences. If your discovery represents novel research, we'll:

• Coordinate disclosure timelines to align with conference talk deadlines
• Provide support letters for conference proposal submissions
• Cover travel expenses to present findings (up to $2,500)

Safe Harbor and Legal Protection

We provide clear safe harbor protections for good-faith security research:

What's Protected

As long as you:

• Make a good faith effort to comply with our program policies
• Don't access, modify, or delete user data beyond what's necessary to demonstrate a vulnerability
• Don't intentionally harm our users or infrastructure
• Report vulnerabilities promptly and don't publicly disclose before we've had time to fix them

We will:

• Not pursue legal action against you
• Work with law enforcement to advocate on your behalf if someone else pursues legal action
• Consider your actions authorized security research

Coordinated Disclosure

We follow a 90-day coordinated disclosure policy:

1. Day 0: You submit a vulnerability report
2. Day 7: We confirm the issue and provide an expected fix timeline
3. Day 30-60: We develop and deploy a fix (faster for critical issues)
4. Day 90: Public disclosure is permitted if we haven't fixed the issue

For critical vulnerabilities affecting user safety, we aim to fix and deploy patches within 14 days.

Program Infrastructure

We've invested in world-class infrastructure to support our bug bounty program:

Submission Platform

• Encrypted Communications: All submissions use end-to-end encryption
• Automated Analysis: Our systems automatically check for duplicates and provide initial severity estimates
• Collaboration Tools: Researchers can collaborate with our security team directly in the platform
• Status Tracking: Real-time updates on submission status

Testing Environments

To make vulnerability research safer and easier, we provide:

• Sandbox Environment: Full replica of our production system for testing
• Test Accounts: Pre-configured accounts with various permission levels
• Sample Data: Realistic test data to use during research
• API Credits: Free API access for security testing purposes

Industry Partnerships

We're proud members of leading bug bounty platforms and security communities:

• HackerOne: Our program is listed on HackerOne with detailed metrics
• Bugcrowd: Alternative platform for researchers who prefer their ecosystem
• OWASP: Active participation in security standards development
• ISC2: Supporting security certification and education

What Researchers Are Saying

Since announcing our enhanced program, we've received tremendous positive feedback:

"The 24-hour triage commitment is a game-changer. I've had reports triaged in under 4 hours, with thoughtful feedback from actual security engineers." - Top 100 HackerOne Researcher

"The bonus multipliers for AI security research show they're serious about protecting their machine learning systems. That's where I'm focusing my efforts." - AI Security Specialist

"Finally, a program that treats researchers like partners. The communication is respectful, the process is transparent, and the rewards reflect the value we provide." - Security Researcher, 10+ years experience

Current Priorities

While we welcome reports across all systems, we're especially interested in research focused on:

1. AI and Machine Learning Security: Prompt injection, model manipulation, training data poisoning
2. Authentication Systems: Novel bypass techniques, session management issues
3. Data Privacy: Information disclosure, unauthorized access to user data
4. Infrastructure Security: Cloud misconfigurations, container escapes, Kubernetes vulnerabilities
5. Mobile Security: iOS and Android app vulnerabilities, mobile API security

By the Numbers

Since launching our enhanced program:

• $3.2 million paid to security researchers in the first 6 months
• 450+ valid vulnerabilities identified and fixed
• 180+ active researchers participating in our program
• 4.8 hours average time-to-triage (well under our 24-hour commitment)
• 98% satisfaction rate from researchers (based on post-submission surveys)

Getting Started

Ready to start hunting bugs? Here's how to begin:

Step 1: Review Our Program Policies

Read our complete program documentation at security.tanqory.com/bug-bounty, including:

• Detailed scope and out-of-scope items
• Submission guidelines and templates
• Severity rating criteria
• Safe harbor provisions

Step 2: Set Up Your Testing Environment

1. Create a free Tanqory account
2. Request sandbox access via our security portal
3. Review our security architecture documentation
4. Familiarize yourself with our APIs and applications

Step 3: Start Researching

Use our sandbox environment to explore potential vulnerabilities. Remember:

• Never test against production systems without explicit permission
• Don't access real user data
• Document your findings thoroughly
• Report issues as soon as you discover them

Step 4: Submit Your Report

Use our submission portal at security.tanqory.com/report with:

• Clear description of the vulnerability
• Steps to reproduce
• Proof-of-concept code or screenshots
• Potential impact assessment
• Suggested remediation (optional but appreciated)

Resources for Researchers

We provide extensive resources to help security researchers:

• Security Architecture Docs: Detailed documentation of our systems
• API Documentation: Complete API reference for testing
• Vulnerability Examples: Case studies of past discoveries
• Research Tools: Recommended tools and frameworks
• Community Forum: Connect with other researchers and our security team

Looking Ahead

Our bug bounty program will continue to evolve based on researcher feedback and industry best practices. Coming soon:

• Live Hacking Events: In-person events with bonus rewards
• Private Program Tier: Invitation-only program for elite researchers
• Research Grants: Funding for long-term security research projects
• Educational Partnership: Training programs for aspiring security researchers

Join Our Security Community

Beyond bug bounties, we're building a vibrant security community:

• Security Newsletter: Monthly updates on our security initiatives
• Researcher Discord: Private Discord channel for active researchers
• Security Blog: Deep dives into interesting vulnerabilities and our security architecture
• Annual Security Summit: Invitation-only event for top contributors

Commitment to Security

Our bug bounty program is just one part of our comprehensive security strategy. We also invest heavily in:

• Automated security testing and continuous monitoring
• Regular third-party security audits
• Security training for all employees
• Incident response and disaster recovery planning
• Privacy-by-design principles in all products

Contact Us

Questions about our bug bounty program?

• Email: security@tanqory.com
• PGP Key: Available at security.tanqory.com/pgp
• Security Portal: security.tanqory.com
• Emergency Hotline: For critical vulnerabilities requiring immediate attention

Thank you to every security researcher who helps make Tanqory safer. Your work protects our users and strengthens the entire ecosystem. We're honored to work with you.

Tanqory's bug bounty program is powered by HackerOne and Bugcrowd. All submissions are subject to program terms and conditions available at security.tanqory.com/terms.