Bug Bounty Program

1. Overview & Objectives

Vexor is committed to maintaining a secure platform for users, creators, advertisers, and partners. We recognize that independent security researchers play a critical role in helping us identify and remediate vulnerabilities before they can be exploited. The Bug Bounty Program is designed to:

• Encourage responsible security testing on clearly defined assets.
• Provide a structured channel for vulnerability reporting.
• Reward impactful findings that materially improve platform security.
• Foster long-term collaboration with the global security research community.

2. Safe Harbor & Legal Protections

Vexor provides Safe Harbor protections for researchers who act in good faith and follow this policy. Specifically, if you comply with the program rules:

• Vexor will not pursue legal action for your security research activities within authorized scope.
• We will not disable or ban test accounts created for research purposes, provided they are used responsibly.
• We will work with you to understand and validate your report before drawing conclusions.

Safe Harbor does not apply to activities that cause harm, exploit data, commit fraud, or violate applicable laws. Any testing that affects real users, production data, or business operations beyond minimal proof-of-concept may be treated as abusive or malicious.

3. Program Scope & In-Scope Assets

The following assets and surfaces are considered in-scope for the Vexor Bug Bounty Program:

• Vexor App & Web: Core Vexor mobile applications and primary web domains, including:
  • vexor.to and documented production subdomains.
• Authenticated User Flows: Account registration, login, password reset, settings, profile management, content upload, messaging, and monetization flows.
• Public APIs (documented): Official Vexor API endpoints exposed to third parties, subject to the API Terms of Use and rate limits.
• Administrative & Moderation Functions: Where exposed through authenticated interfaces that are legitimately accessible.

Additional assets may be formally added to scope in future program updates and will be reflected here or via an official Bug Bounty scope document.

4. Out-of-Scope & Non-Qualifying Issues

The following are out-of-scope and generally not eligible for rewards:

• Vulnerabilities in third-party services not operated by Vexor.
• Reports without clear security impact or proof-of-concept.
• Clickjacking on pages with no sensitive actions.
• Self XSS or attacks requiring full victim cooperation beyond realistic phishing.
• Missing security headers with limited or no practical impact.
• Use of outdated libraries without an exploitable path.
• Brute-force or credential stuffing findings without a demonstrated bypass of protections.
• Rate-limit issues without security or abuse impact.
• Denial-of-service attacks or volumetric traffic tests.
• Attacks on test, staging, or non-production infrastructure not designated as in-scope.

5. Rules of Engagement

To qualify for Safe Harbor and potential rewards, researchers must strictly follow these rules:

• Only test accounts that you own or that you have explicit authorization to test.
• Do not access, modify, or delete data belonging to other users.
• Do not perform destructive testing (e.g., data corruption, mass deletion, service disruption).
• Do not attempt social engineering against Vexor staff or users.
• Do not run high-volume automated scans that degrade service quality.
• Stop testing immediately if you encounter personal data or sensitive content and report your findings.
• Use proof-of-concept that is minimal, controlled, and reversible where possible.

6. Severity Classification & Reward Framework

Rewards are discretionary and based on severity, impact, exploitability, and report quality. Vexor uses an internal severity framework similar to industry standards (e.g., CVSS-inspired approach).

• Critical: Complete account takeover, remote code execution, or full database exposure.
• High: Privilege escalation, significant data access, or impactful business logic flaws.
• Medium: Authentication or access issues with limited scope, moderate data exposure.
• Low: Minor issues with minimal impact but valid security relevance.

Indicative reward ranges (subject to adjustment once Vexor is in full production):

• Critical: $1,000 – $10,000+
• High: $500 – $2,500
• Medium: $200 – $750
• Low: $50 – $200

Final reward amounts may vary based on duplication, prior knowledge, environment (pre-launch vs. production), quality of reporting, and ease of exploitation.

7. Reporting Process

To ensure timely and efficient handling, vulnerability reports must be submitted with clear, structured detail.

Submit reports to:

• Email (Primary): security@vexor.to
• Email (Backup): infosec@vexor.to

Each report should include:

• A descriptive title summarizing the vulnerability.
• Step-by-step reproduction instructions.
• Environment details (URL, app version, OS, browser, device).
• Proof-of-concept (screenshots, videos, payload samples, logs).
• Expected vs. actual behavior.
• Any temporary test account credentials (if applicable).

8. Triage, Validation & Remediation Lifecycle

Vexor follows a standardized lifecycle for all incoming reports:

1. Acknowledgement: We strive to acknowledge receipt within 72 hours.
2. Triage: Security engineers validate impact, severity, and reproducibility.
3. Remediation Plan: Issues are prioritized, assigned to engineering teams, and tracked internally.
4. Fix & Verification: Patches are deployed and re-tested to confirm resolution.
5. Reward Decision: Once validated and fixed, bounty eligibility and amount are determined.
6. Disclosure Coordination: For eligible findings, we coordinate any public recognition or disclosure.

Complex or systemic issues may require longer remediation timelines; we will keep researchers updated where feasible.

9. Coordinated Disclosure & Public Recognition

Vexor supports responsible, coordinated vulnerability disclosure:

• Researchers must not publicly disclose vulnerabilities before Vexor confirms remediation or grants permission.
• We may invite researchers to publish joint or independent write-ups after fixes are deployed.
• With consent, eligible researchers may be listed in the Vexor Security Hall of Fame.

Unauthorized public disclosure prior to remediation may result in disqualification from rewards and potential legal response in serious cases.

10. Program Limitations & Exclusions

Vexor reserves the right to:

• Determine eligibility for rewards at its sole discretion.
• Cap or adjust reward amounts based on budget, duplicate findings, or prior knowledge.
• Exclude individuals or entities based on legal, regulatory, or sanctions constraints.
• Pause or terminate the program temporarily for operational or security reasons.

11. Privacy & Data Handling

All vulnerability reports are processed in compliance with Vexor’s Privacy Policy and applicable data protection laws. Researcher-provided data is:

• Used strictly for security assessment, validation, and response.
• Stored securely with limited internal access.
• Retained only as long as necessary for security and compliance purposes.

12. Contact & Escalation

For all bug bounty matters, please use the designated security channels:

Security Team: security@vexor.to
Information Security / Backup: infosec@vexor.to
General Support (non-security): support@vexor.to

13. Changes to This Program

Vexor may modify, suspend, or update this Bug Bounty Program at any time, including scope, reward ranges, or rules of engagement. Material changes will be reflected on this page with an updated revision date. Continued participation in testing activities after such updates constitutes acceptance of the revised terms.