Sav aims to identify and fix any undiscovered bugs, and we seek the assistance of the security community to achieve this. If you discover a security vulnerability on Sav.com, Sav.domain or Virtualcloudmanager.com, please report it to us immediately.
PLEASE BE PATIENT: We will evaluate and address your submission as swiftly as possible. Depending on the complexity of the vulnerability and our available resources, it might take up to 30 days for us to resolve the issue and process your payment.
Sav.com utilizes Bugcrowd’s Vulnerability Rating Taxonomy (https://bugcrowd.com/vulnerability-rating-taxonomy) to prioritize and reward reported vulnerabilities. Currently, we provide rewards for P1 and P2 vulnerabilities.
Reward Structure
If a single vulnerability results in the exploitation of multiple vulnerabilities, we will only reward the highest-value vulnerability.
Priority | Bounty
- P1 | $750
- P2 | $500
- Other | While we appreciate the submission, we cannot currently reward low-priority vulnerabilities. $0
Excluded Vulnerabilities
Some vulnerabilities are not eligible for rewards due to various reasons such as already being known, minimal risk, or business requirements.
- XSS or CSRF | Attacks that reflect back to the user's own account (typically P5).
- Error Messages | Descriptive error messages like stack traces, server errors, HTTP error pages, etc.
- Rate Limits | Vulnerabilities that essentially function as a DoS attack.
- Clickjacking | Vulnerabilities only exploitable through clickjacking.
- Already Known | Issues that are already known internally or have been previously reported.
- Public CSRF | CSRF vulnerabilities on forms or actions available to anonymous users, such as search or contact forms.
- CSRF Cookie | CSRF token cookies that are not HTTP-only, by design.
- Out of Scope | Issues not directly related to the production web application, email spoofing, mta, spf/dmarc/dkim configurations, phishing, headers, etc.
- Domains Not Owned by Sav | Any issue on a domain other than Sav.com, Sav.domains or Virtualcloudmanager.com
- Development Subdomains | Any dev. or staging. domains.
Guidelines
Confidentiality Maintaining confidentiality is crucial. Do not share any details of vulnerabilities with others before or after disclosing them to us. Non-confidential submissions will not qualify for rewards.
Submission Requirements All required information must be provided for a submission to be accepted.
- Report each vulnerability in a separate email. Additional vulnerabilities in follow-up emails will be ignored.
- Send your report, along with any supporting documentation, to bug-bounty@sav.com.
- Use the subject line format "Bug Bounty: PRIORITY LEVEL". For example: "Bug Bounty: P2". Submissions sent without this subject format will be flagged as spam and will not be reviewed.
- Provide your PayPal address for payment.
- Attach a detailed Proof of Concept with steps to reproduce, screenshots, and any other relevant information.
Additional Rules
- Decisions made by Sav regarding bounties are final.
- Avoid illegal activities or crimes.
- You are responsible for any taxes on rewards as per your local laws.
- Do not engage with Sav.com customers in a misleading or abusive manner. Use test accounts for simulations.
- Avoid Denial of Service attacks, scraping, or stressing the site to find vulnerabilities.
- Ensure no harm is caused.
- Anonymous submissions are not accepted. To receive payment, your identity must be confirmed.
- You may need to complete a W-9 tax form or similar documentation as required by the IRS.
- By submitting a vulnerability, you transfer full intellectual property rights of the report to Sav.com.
- Payments cannot be made to individuals in countries under US sanctions.