ProductSolutionsTemplatesResources

Vulnerability bounty program



If you come across a security vulnerability on Softr’s website or studio, please report it to our support team by sending an email to support@softr.io. The following details are part of the bounty program that is available to all who submit a vulnerability report.



ο»ΏRewards


At Softr, we recognize and reward vulnerability reporters. The reward payment amounts are calculated based on the severity and the category of the reported issue(s) and are paid via PayPal.


Before submitting a new issue, you should calculate the issue's severity using the CVSS calculator, and reference the CVSS score to the report.



Eligibility


The eligibility requirements for rewards are:

  • The issue must have occurred on Softr.com's most recent, publicly available website/app.
  • We don't reward issues that have previously been reported, so you should be the first to report them.
  • You can include a video, how-to, or other information to assist the Softr team in reproducing the issue.
  • You can't disclose any information on the issue without Softr's consent.
  • The issue must be real, not a hypothetical situation.
  • The issue must be in scope (see details below).



Out of scope


If a report solely consists of the output from an automated security scanner, then it will not be rewarded. You are more than welcome to use security scanners, but please don't simply copy their output into our program without providing additional insight.


We don’t generally consider the following elements to be within the scope of the reward program:


  • Feature bugs
  • Any vulnerabilities in third-party services integrated into our platform
  • Third-party code or service vulnerabilities that do not lead to an exploit.
  • Missing HTTP security headers, like:
  • Feature-Policy
  • Content-Security-Policy
  • Strict Transport Security (HTTPS)
  • Pinning of HTTP public keys
  • X-Content-Type-Options
  • X-XSS-Protection
  • X-XSS-Protection
  • X-Download-Options
  • X-DNS-Prefetch-Control
  • Certificate Transparency (Expect-CT)



How to report an issue


To report an issue, please send us an email to support@softr.io with the following details:

  • Issue description.
  • Video, how-to, or proof of concept.
  • Self-assessed severity.
  • The output of the CVSS calculator.
  • Any other information the Softr team would benefit from.


By submitting a vulnerability report to Softr, you grant Softr GmbH a perpetual, irrevocable, and royalty-free license to all intellectual property rights in or relating to the use of this material. It's also critical that you let us know if any part of the report isn't your own or is protected by third-party intellectual property rights. Not notifying us, you claim that no third-party intellectual property rights are implicated in the report.


Thank you for your help in keeping Softr and our customers safe.