Posted May 15, 2024
We have paused Rosebud’s Bug Bounty program because we can’t effectively keep up with all of the submissions, leading us to provide unsatisfactory service that does not meet our standards of operation.
🙏 Thank you to all who participated in the Rosebud Bug Bounty Program. Your contributions have helped us enhance the security and reliability of our platform, ensuring a safer experience for all our users.
If you have any high-severity issues you’d like to make us aware of out of the goodness of your heart, you can still email
bugbounty@rosebud.app. Please note will not be replying to this inbox for anything sent after May 15th, 2024.Thank you,
Rosebud Engineering
High-Severity Issues
High-severity bugs are critical technical issues that pose significant and immediate risks to the security of our platform. These vulnerabilities could lead to the compromise of sensitive user information, unauthorized access to restricted functionality, or system-wide disruptions.
Eligibility criteria:
- The vulnerability must be discovered on our live production site at
my.rosebud.app.
- The vulnerability must have a clear technical attack vector and not rely on social engineering or phishing.
- The report must include detailed reproduction steps using our domain
my.rosebud.app. Generic or vague reports without specific steps will not be considered.
- The vulnerability must have a direct, demonstrable impact on the confidentiality, integrity, or availability of our application, users, or data.
Examples:
- Injection vulnerabilities (e.g., SQL injection, command injection) that allow unauthorized access, data manipulation, or system compromise.
- Broken authentication and session management flaws that enable attackers to bypass login requirements or hijack user sessions.
- Sensitive data exposure due to weak encryption, insecure storage, or transmission of critical information.
- Broken access control mechanisms that allow unauthorized users to perform privileged actions or access restricted resources.
- Security misconfigurations that leave the application open to attacks, such as default credentials, exposed services, or outdated software with known vulnerabilities.