For us here at Algorithmia, protecting the privacy and security of our user’s information is a top priority. After some time in development, we are happy to announce that starting today we will be recognizing security researchers for their efforts through a bug bounty program..
A bug bounty program is common practice amongst leading companies to improve the security and experience of their products. This type of program provides an incentive for security researchers to responsibly disclose vulnerabilities and bugs, and allows for internal security teams to respond adequately in the best interest of their users.
All vulnerabilities should be reported via firstname.lastname@example.org. GPG key available below .
We require that all researchers:
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing:
- Use the designated communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Algorithmia until we’ve had 90 days to resolve the issue.
If you follow these guidelines when reporting an issue to us we commit to:
- Not institute a civil legal action against you and not support a criminal investigation;
- Work with you to understand and resolve the issue quickly (confirming the report within 72 hours of submission);
- Recognize your contribution on our site, if you are the first to report the issue and we make a code or configuration change based on the issue.
Any component developed by us under Algorithmia.com is fair game for this bounty system except individual algorithms created by our users.
Out of Scope:
Any services hosted by 3rd party providers and services are excluded from scope.
In the interest of the safety of our users, staff, the Internet at large, and you as the security researcher, the following test types are excluded from scope and not eligible for a reward:
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing)
- Findings from applications or systems not listed in the ‘Targets’ section
- Functional, UI and UX bugs and spelling mistakes
- Network level Denial of Service (DoS/DDoS) vulnerabilities
Things we do not want to see:
Personally identifiable information of users (PII) that you may have found during your research.