At Rosebud, we are committed to providing a secure and reliable platform for our users to engage in personal growth through AI-powered daily journaling. As part of our ongoing efforts to ensure the highest standards of security and performance, we are excited to introduce the Rosebud Bug Bounty Program.
As a small team, we are dedicated to addressing high-severity technical vulnerabilities that pose significant risks to our platform and users. We appreciate your understanding and cooperation in helping us maintain the security of our application.
To ensure we can efficiently prioritize and resolve these critical issues, we will only respond to reports that include clear, reproducible steps and demonstrate a confirmed high-severity vulnerability.
Scope and Eligibility
Our Bug Bounty Program covers high-severity technical vulnerabilities that meet the following criteria:
- The vulnerability must be discovered on our live production site at
my.rosebud.app.
- The vulnerability must have a clear technical attack vector and not rely on social engineering or phishing.
- The report must include detailed reproduction steps using our domain
my.rosebud.app. Generic or vague reports without specific steps will not be considered.
- The vulnerability must have a direct, demonstrable impact on the confidentiality, integrity, or availability of our application, users, or data.
High-Severity Issues: $500 Reward
High-severity bugs are critical technical issues that pose significant and immediate risks to the security of our platform. These vulnerabilities could lead to the compromise of sensitive user information, unauthorized access to restricted functionality, or system-wide disruptions.
Examples of high-severity technical vulnerabilities include:
- Injection vulnerabilities (e.g., SQL injection, command injection) that allow unauthorized access, data manipulation, or system compromise.
- Broken authentication and session management flaws that enable attackers to bypass login requirements or hijack user sessions.
- Sensitive data exposure due to weak encryption, insecure storage, or transmission of critical information.
- Broken access control mechanisms that allow unauthorized users to perform privileged actions or access restricted resources.
- Security misconfigurations that leave the application open to attacks, such as default credentials, exposed services, or outdated software with known vulnerabilities.
How to Submit for Bounties
To submit a bug bounty report, please follow these steps:
- Email your detailed findings to
bugbounty@rosebud.app
- Use the subject line "Rosebud Bug Bounty: [Short Description]"
- In the email body, provide a comprehensive report that includes:
- Title
- Severity (must be high)
- Description
- Impact
- Reproduction Steps (using my.rosebud.app)
- Resolution Steps
- Screenshots or demo video
- Include your full name and preferred payment method for the reward.
After submitting your report, our team will evaluate it within 5-10 business days. If the vulnerability is confirmed and resolved based on your provided resolution steps, we will award you the $500 bounty.
Out of Scope
- Duplicate reports (only the first valid report will be rewarded)
- Similar vulnerabilities reported separately (please include them in a single report)
- Vulnerabilities in third-party software not directly under our control
- Non-technical issues or those requiring social engineering
Thank you for participating in the Rosebud Bug Bounty Program. Your contributions help us enhance the security and reliability of our platform, ensuring a safer experience for all our users.