Bug Bounty Program
Pollen Mobile rewards individuals who share with us vulnerabilities, issues, and the methods used to exploit them. Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process. Our priority is to resolve confirmed issues as quickly as possible to protect our customers and the integrity of the network. Pollen Mobile offers public recognition for those who submit valid reports and provide compensation commensurate with the level of vulnerability identified.
In order to be eligible for a Pollen Mobile Security Bounty, the issue must occur on an active, available, version of the Pollen Mobile Core, the Pollen Mobile Bumblebee, or the Pollen Mobile Honeybee for iOS application. Researchers must:
- Be the first to report the issue to Pollen Mobile
- Provide a clear report, which includes a working exploit
- Not disclose the issue publicly before Pollen Mobile releases an advisory for the report
Bounty payments are determined by the severity level of the report. A maximum amount is set for each category, and the exact payment amounts are determined after review by Pollen Mobile. All issues with significant impact to users will be considered, even if they do not match the published caregories below. Bounty payments are dispensed at the discretion of Pollen Mobile.
The purpose of the Pollen Mobile Bug Bounty Program is to protect our customers, their data, and contribute to the strength of the network by understanding vulnerabilities. Reports that include a basic proof of concept instead of a working exploit are eligible to receive no more than 50% of the maximum payout amount. Reports lacking necessary information to enable Pollen to efficiently reproduce the issue will result in a significantly reduced bounty payment, if accepted at all.
A complete report includes:
- A detailed description of the issues being reported
- Any prerequisites and steps to get the system to an impacted state
- Enough information for Pollen to reproduce the issue.
Issues that require the execution of multiple exploits, as well as one-click and zero-click issues, require a full chain for maximum payout. The chain and report must include:
- Both compiled and source versions.
- Everything needed to execute the chain.
- A sample non-destructive payload, if needed.
- A full report
Send your report by email to [email protected]. Include relevant videos, crash logs, and system diagnosis reports in your email. Please DM @zeusdog in Discord if you have any questions or require additional support or guidance in submitting your report.