AxVeil Bug Bounty
Program.
We run offensive security for a living. It would be embarrassing if our own surface were soft. This program rewards researchers who find real vulnerabilities in AxVeil-owned infrastructure — axveil.com, the customer dashboard, and our public APIs.
Program response commitments
From a real operator, every report.
Severity assigned, in/out of scope confirmed.
Receipt time decided by inbox timestamp.
Coordinated, from initial triage.
This program is for AxVeil's own property. Not a client engagement.
Findings against client systems we have tested are out of scope — those reports must go through the client's own disclosure process. If you are unsure, email security@axveil.com and we will route you.
Program runs on goodwill until we hit predictable revenue. Real cash payouts begin once AxVeil clears its first $250k ARR — we will not pretend otherwise. Hall-of-fame credit is available from day one.
In scope and out of scope.
In scope
axveil.com
The marketing site, /lead-magnets, /blog, and any subdomain that resolves to AxVeil-owned infrastructure.
Customer dashboard
Authenticated UI under /dashboard, /admin, /scan, and /portal — tenant isolation, IDORs, privilege escalation.
Public APIs
/api/* endpoints — auth, rate-limit bypass, scan engine input handling, webhook signing.
Authentication surface
NextAuth flows, TOTP/backup-code logic, session fixation, password reset, magic-link issuance.
Out of scope
Client engagements
This program covers AxVeil-owned property only. Findings against client systems must be reported through the client's own disclosure channel.
Third-party SaaS
Stripe, Resend, Cloudinary, Vercel, and other vendors we depend on. Report directly to those vendors — we will credit you here once they confirm.
Volumetric DoS / DDoS
We will not pay out for resource-exhaustion attacks. Application-layer DoS proven with a low-bandwidth PoC is in scope.
Social engineering
Phishing AxVeil staff or customers, physical access, and SIM-swap attempts are explicitly out of scope.
Self-XSS / clickjacking on static pages
Findings that require victim cooperation or have no security impact will be closed as informational.
Outdated browser CVEs
Reports flagging browsers older than the last 2 majors (Chrome, Firefox, Edge, Safari) without a working PoC.
Payout bands.
All amounts are in Indian Rupees and quoted as a band — exact value depends on exploit reliability, blast radius, and whether the report includes a clean reproducer. Payouts are subject to budget and may be delayed up to 60 days from triage.
Information disclosure with no PII impact, missing security headers with a working bypass, low-impact CSRF on read-only endpoints.
Stored XSS in authenticated areas, broken access control on a non-sensitive endpoint, weak rate-limits on auth, sensitive log leakage.
Account takeover via password reset, IDOR exposing other tenants' scan output, SSRF into internal infrastructure, authentication bypass.
Pre-auth RCE, full database exfiltration, privilege escalation to admin from any tenant, secret-key compromise on production infrastructure.
Subject to budget. AxVeil reserves the right to adjust the band based on real-world impact and the quality of the proof of concept.
How to test without getting yourself or us in trouble.
No data exfiltration
Demonstrate impact with the minimum viable proof. Do not enumerate beyond the first record. Do not download dumps.
No service degradation
Use rate limits that respect a normal user. If a finding requires high traffic to demonstrate, coordinate with us first via email.
Stay in scope
If you accidentally land on a client system, stop, do not pivot, and report it to security@axveil.com so we can notify the affected party.
First-to-report wins
Duplicate reports for the same root cause receive hall-of-fame credit but no payout. We track receipt time by inbox timestamp.
No public disclosure before fix
Standard 90-day window from initial triage. We will credit you publicly once the patch ships unless you ask to remain anonymous.
Researcher conduct
We will not pursue legal action against researchers who follow these rules in good faith. Operating outside the rules voids that protection.
The reports that get triaged fastest — and paid most.
Report quality is one of the three factors that decide where in a band a reward lands. A clean submission is not just polite — it is in your interest.
A clear, minimal reproducer
Exact request (method, URL, headers, body), the account/role context, and the precise step where behaviour diverges. The faster we reproduce, the faster you get triaged — and a clean reproducer pushes the reward toward the top of its band.
An honest impact narrative
Tell us what an attacker actually gains and under what preconditions. "IDOR exposing another tenant's scan output" beats "broken access control" — we score on real-world blast radius, not category labels.
Evidence, not enumeration
One screenshot or one returned record that proves the issue. Do not dump data, pivot, or enumerate beyond the first proof. Over-collection hurts your report and breaches the rules of engagement.
One root cause per report
Split distinct vulnerabilities into separate reports so each can be triaged, scored, and rewarded on its own merit. Chained findings are welcome — describe the chain, but file the root causes clearly.
Submit a finding.
Primary
security@axveil.comEncrypt with our PGP key (available on request). Include reproduction steps, expected vs actual behaviour, and the impact narrative. We acknowledge within 48 hours.
HackerOne
Coming soon
We will publish a managed HackerOne program once we cross our first 25 paid bounties. Until then email is the supported channel — every report still gets triaged by the founder personally.
Researchers who made AxVeil safer.
The hall of fame is empty — for now. Be the first researcher to land a valid finding and we will credit you here, on /recognition, and in the next release notes.
Bug bounty, answered.
Is this program paid or hall-of-fame only right now?+
Hall-of-fame credit is live from day one. Cash payouts in the bands shown begin once AxVeil clears its first $250k ARR — we would rather be honest about funding than dangle rewards we cannot yet guarantee. Until then, valid findings still get a genuine triage, a public credit (if you want one), and consideration for a retroactive payout once the budget exists.
What's in scope versus the rest of AxVeil?+
AxVeil-owned property only: axveil.com and its subdomains, the authenticated customer dashboard, our public APIs, and the authentication surface. Findings against a client's systems are explicitly out of scope and must go through that client's own disclosure channel. Third-party SaaS we depend on (Stripe, Vercel, Resend, Cloudinary) should be reported to those vendors directly.
How do you decide where in a band a reward lands?+
Three factors: exploit reliability (does it work consistently or only under rare conditions), blast radius (one record or every tenant), and report quality (a clean, reproducible PoC versus a vague description). A Critical with a one-click reproducer and full impact analysis lands at the top of the Critical band; a theoretical issue with no working PoC lands at the bottom.
What happens if two researchers report the same bug?+
First-to-report wins the payout — we track receipt time by inbox timestamp. The duplicate report receives hall-of-fame credit but no cash. If your report meaningfully extends a known issue (a new exploit path, a higher-impact variant), tell us and we will assess it on its own merit.
Will I get in legal trouble for testing?+
Not if you follow these rules in good faith. Our coordinated disclosure policy at /disclosure carries a legal safe harbour: research conducted within scope and within the rules of engagement is treated as authorised, and we will not pursue or support legal action over it. Stepping outside scope — data exfiltration, DoS, social engineering — voids that protection.
Found something? Report it.
We respond within 48 hours, every time. Even when the finding is out of scope, you get a real reply from a real operator — never a templated “informational” close.