ReadyTech Bug Bounty Policy

1. Introduction

Readytech (“we”, “us” or “our”) believes that working with skilled security specialists across the globe is crucial in identifying weaknesses in any technology. We welcome researchers to work with us in
identifying any issues according to the program rules described in this policy.

2. Purpose

ReadyTech welcomes responsible disclosure of any vulnerability found in its sites in order to get the best possible security for its services. 

3. Scope

The following sites are included in the bug bounty program:

Other sites are not eligible. These include unreleased products and sites developed and/or hosted by 3rd parties. Our marketing site (readytech.com, readytechtest.wpengine.com) is developed and hosted by a 3rd party and therefore not eligible under this program.

4. Policy

4.1 How to Participate

4.1.1 Screening Process
  • All security specialists an introduction email to approved in our screening process. The email must include, but not limited to:
    • Full Name.
    • Phone Number – it’s necessary, because ReadyTech might need to contact you in case the testing interferes with our service.
    • Verifiable social media account (e.g. Linkedin, Facebook, Instagram, etc).
    • Background experience.
    • The expected date to start and finish testing analysis.
  • Selected participants will be contacted by ReadyTech with an authorization message.
  • ReadyTech reserves the right to refuse participants’ requests without additional information.
  • Failure to pre-register automatically disqualifies the candidate from participating in the program and any reported issues will not be compensated.
  • ReadyTech employees are not eligible for participation in this program.

 

4.1.2 Participants Guidelines

  • Interested security specialists must agree and adhere to the Program Rules as stated in this policy.
  • Vulnerabilities analysis must be executed only for ReadyTech eligible sites (Scope) and respecting the Responsible Disclosure (Topic 5.2);
  • ReadyTech encourages the participants to consolidate all vulnerabilities identified in one unique report.
  • ReadyTech takes information security very seriously, therefore standards or basic vulnerabilities scans are not welcome as its potential risks are already covered by our internal processes. information security very seriously, therefore standards or basic vulnerabilities scans are not welcome as its potential risks are already covered by our internal processes.
  • Participants must be available to supply additional information, as needed by the ReadyTech team, to reproduce and triage any issue.
  • Due to the varying and complex nature of technical issues, ReadyTech does not have firm timelines for analyzing findings under the Bug Bounty Program.

4.2 Responsible Disclosure

The participants must comply with the principles of responsible disclosure, which include, but are
not limited to:

  • Accessing, modifying or exposing only customer data that is your own.
  • Avoiding scanning techniques that are likely to cause degradation of service to other ReadyTech
    customers (e.g. by overloading the site).
  •  Keeping within the guidelines of ReadyTech’s Terms Of Service.
  • Keeping details of vulnerabilities secret until ReadyTech has been notified and had a reasonable amount of time to fix the vulnerability.

4.3 Bounty Eligibility

  • Reports received without prior participant approval won’t be eligible for a bounty.
  • Only vulnerabilities found on eligible sites (Scope) will be acceptable.
  • ReadyTech engineers must be able to reproduce the security flaw reported.
  • The submission must be accepted as valid by ReadyTech according to the principles of this policy 

4.3.1 Vulnerabilities Classification

Examples of Qualifying Vulnerabilities:

  • Authentication flaws
  • Circumvention of our
  • Platform/Privacy permissions model
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • Mixed-content scripts
  • Server-side code execution

Examples of Non-Qualifying Vulnerabilities

  •  Denial of Service vulnerabilities (DOS)
  •  Possibilities to send malicious links to people you know
  •  Security bugs in third-party websites that integrate with ReadyTech
  • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible

4.4 Reward

ReadyTech Bug Bounty Program provides a monetary reward for the participants who report us with any qualifying vulnerability

Reward requirements applies as follows:

  • Only 1 bounty will be awarded per vulnerability.
  • If ReadyTech receives multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
  • You cannot report the same vulnerability on multiple pages or applications to receive additional compensation.
  • The minimum bounty amount for a validated bug submission is $50 USD and the maximum bounty for a validated bug submission is $300 USD.
  •  All bounty amounts will be determined at the discretion of ReadyTech based on severity, impact, and quality.
  • The reward can only be provided for residents of a country not on U. S. sanctions lists (e.g. Cuba, Iran, North Korea, Sudan & Syria).

4.4 Contact

Participants must be oriented to email ReadyTech at bugbountyprogram@readytech.com with any questions about the program.

Introduction

Readytech (“we”, “us” or “our”) believes that working with skilled security specialists across the globe is crucial in identifying weaknesses in any technology. We welcome researchers to work with us to identify any issues according to the program rules described in this policy.

Purpose

ReadyTech welcomes responsible disclosure of any vulnerability found in our sites in order to maintain the highest possible security for our services.

Scope

The following sites are included in the bug bounty program:

  • instructorled.training
  • selfpaced.training
  • axis.readytech.com
  • hyperview.readytech.com
  • admin.readytech.com

Other sites are not eligible. These include unreleased products and sites developed and/or hosted by 3rd parties. Our marketing site (readytech.com, readytechtest.wpengine.com) is developed and hosted by a 3rd party and, therefore, not eligible under this program.

Policy

How to participate

Screening process

All security specialists must send an email to get approved for our bug bounty program. The email should introduce yourself and include the following information at a minimum:​

  • Phone Number – We might need to contact you in case the testing interferes with our service.
  • Verifiable social media account (e.g. Linkedin, Facebook, Instagram, etc).
  • Background experience.
  • The dates you expect to start and finish your testing

If you are unwilling to identify yourself and provide contact details, you cannot participate in our bug bounty program. Failure to pre-register automatically disqualifies the candidate from participating in the program, and any reported issues will not be compensated.

Screening process

Program participants must agree to adhere to the Program Rules as stated in this policy.

  • Testing must be conducted only on eligible sites (Scope) and testers must respect the Responsible Disclosure principles (Topic 5.2);
  • We encourage the participants to consolidate all vulnerabilities identified in one report.
  • We take information security seriously and routinely scan our sites and applications ourselves. Therefore generic scan by outside security professionals is unlikely to produce valid vulnerabilities.
  • Participants must be available to supply additional information, as needed by our development team, to reproduce and triage any reported issue.
  • Due to the varying and complex nature of technical issues, we do not have fixed timelines for analyzing vulnerabilities under the Bug Bounty Program.

Responsible disclosure

The participants must comply with the principles of responsible disclosure, which include, but are not limited to:

  • Accessing, modifying or exposing only customer data that is your own.
  • Avoiding scanning techniques that are likely to cause degradation of service to other ReadyTech customers (e.g. by overloading the site).
  • Keeping within the guidelines of ReadyTech’s Terms Of Service.
  • Keeping details of vulnerabilities secret until ReadyTech has been notified and had a reasonable amount of time to fix the vulnerability.

Bounty eligibility

Vulnerability classification

Examples of Qualifying Vulnerabilities:

  • Authentication flaws.
  • Circumvention of our platform/Privacy permissions model.
  • Cross-site scripting (XSS).
  • Cross-site request forgery (CSRF/XSRF).
  • Mixed-content scripts.
  • Server-side code execution.

Examples of Non-Qualifying Vulnerabilities:

Reward

ReadyTech Bug Bounty Program provides a monetary reward for the participants who report us with any qualifying vulnerability:

Reward requirements apply as follows:

  • Only 1 bounty will be awarded per vulnerability.
  • If ReadyTech receives multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
  • You cannot report the same vulnerability on multiple pages or applications to receive additional compensation.
  • The minimum bounty amount for a validated bug submission is $50 USD and the maximum bounty for a validated bug submission is $300 USD.
  • All bounty amounts will be determined at the discretion of ReadyTech based on severity, impact, and quality.
  • The reward can only be provided for residents of a country not on U.S. sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria).

Contact

If you have questions about this program or would like to participate, send an email to bugbountyprogram@readytech.com.

Last Changed: September 1, 2023

Scroll to Top

Start typing and press enter to search