Bug Bounty Program

Bug Bounty Program Terms
No technology is perfect. At Compete, we believe that working with skilled security researchers from
across the globe is crucial to identifying the weaknesses in any technology. If you believe you’ve
found a security issue in our product or service, we encourage you to notify us. We welcome any
contribution that helps us keep our users safe and will work with you to resolve the issue promptly.

Disclosure of Vulnerabilities
● Let us know as soon as possible upon discovery of a potential security issue. We will
make every effort to respond quickly and to resolve the issue as necessary.
● Submission of a vulnerability report should include a detailed description of your
discovery with clear and concise steps allowing us to reproduce the issue.
● Please allow us up to a reasonable amount of time to resolve the issue before any
disclosure to the public or a third party (note: we may ask you to refrain from public
disclosure).
● Make a good faith effort to avoid privacy violations, destruction of data, and interruption
or degradation of our service. Only interact with accounts you own or with the explicit
permission of the account owner. You should also not exploit a security issue you
discover for any reason and avoid privacy violations and disruptions to others, including
(but not limited to) unauthorized access to or destruction of data and interruption or
degradation of our services.
● If you found the same issue for different areas/domains, please report all of them
together. In other words: You should include all similar vulnerabilities found for different
domains/areas in the same report.
● Work only within the boundaries of the law. You should not violate any applicable laws
or regulations, including (but not limited to) laws and regulations prohibiting
unauthorized access to data.
● Do not disclose to any third party any of your findings included in the report.

Rewards
To show our appreciation, Compete may offer a reward for eligible submissions, based on the severity
of the vulnerability, all at Compete’s sole discretion.

You may be eligible to receive a reward if: (i) you are the first person to submit a given vulnerability;
(ii) that vulnerability is determined to be a valid security issue by the Compete Security Team; and (iii)
you have complied with these Terms.
The decision to grant a reward for the discovery of a vulnerability is at Compete’s sole discretion. The
amount of each reward is based on the classification and sensitivity of the data impacted, the
completeness of your report, ease of exploitation, and overall risk for Compete.
Rewards will be paid via Paypal, at Compete’s sole discretion.
You will be responsible for any tax implications related to reward payments you receive, as
determined by your jurisdiction of residence or citizenship laws.
A bounty reward is valid (and can be claimed) up to 3 months after Compete initially granted it. If you are
rewarded, it is your sole responsibility to provide us with your valid credentials; otherwise, you will
not be able to exercise your reward.
Exclusions
While researching, you should refrain from:
● Denial of service
● Spamming
● Social engineering (including phishing) of Compete staff, contractors, and users
● Any physical attempts against Compete property or data centers

Also, we exclude reports of the following issues:
● Non-sensitive information disclosure (server version, readme files, etc.)
● Inapplicable injections (text injection in 4xx pages etc.)
● “target=_blank” href link when the link can’t be changed by the user
● Self-XSS
● CSRF on logout
● DNSSEC issue
● SPF and DMARC
● Missing Headers – PKP / STS / X-Frame (e.g: clickjacking) / X-XSS / CSP
● Missing Flags on Cookies
● Scanner reports
● Version disclosure
● Public info disclosure
● SSL / TLS issues
● CSV injection
● Open redirects or Tabnabbing without a severe impact
● Attacks that require physical access to a user device
● Vulnerabilities that require Man in the Middle (MiTM) attacks
● All issues must be reproducible

Any of the above will not be included in this Bounty Program, as well as bugs that are not
responsively reported and investigated.

General
ALL REPORTS & SUBMISSIONS PROVIDED TO COMPETE ARE CONFIDENTIAL INFORMATION OF
COMPETE. This means you should hold in confidence and not disclose to any third party any
information related to your report or find unless Compete has approved such disclosure in writing in
advance.
Thank you for helping keep Compete and our users safe!
Compete BugBounty team