Bug Bounty Program

We pay researchers who find security issues. The rules below describe what we reward, how to report, and what is in scope.

Scope

• *.42project.app — production web app and API
• github.com/42project/* — open-source repositories
• Mobile apps (when published)

Out of scope: third-party services we use (Stripe, exchanges, cloud providers — report directly to them), social engineering of staff, physical attacks, denial-of-service.

Rewards

• Critical (account takeover, key extraction, wallet drain): up to $25,000
• High (privilege escalation, sensitive data leak): up to $8,000
• Medium (CSRF on sensitive actions, IDOR, stored XSS): up to $2,500
• Low (reflected XSS, info disclosure): up to $500

Payouts are at our discretion based on impact, novelty and quality of disclosure. Duplicates are not rewarded; first valid report wins.

Rules of engagement

• Test only against accounts you control.
• Do not access, modify or delete other users' data.
• Do not run automated scanners against production. Use the staging environment (request access).
• Do not publicly disclose until we have remediated. Reasonable disclosure window: 90 days from report.

How to report

Email security@42project.app with the details. PGP key on request. We acknowledge within 24 hours and aim to triage within 5 business days.

Hall of fame

With your permission, we publicly thank researchers who report valid issues. Currently empty — be the first.