Bounty Program

As part of Glia’s commitment to security and transparency, we are proud to introduce our Bounty Program. This initiative invites skilled third-party security researchers to assist us in identifying potential vulnerabilities within our software systems. We offer rewards for reports that contribute to the enhancement of our security posture. Participation in this program helps Glia protect our customers and promotes a culture of security across the industry. We look forward to your valuable participation.

This program is intended only for security researchers and participants in the bounty program. For general information about security at Glia Technologies, please see our main website.
‍

‍Program Rules

• Reporting: Participants are required to report any vulnerabilities directly and exclusively to bounty-hunters@glia.atlassian.net, and must not disclose them to the public or any third party prior to our resolution of the reported issues. Reporting vulnerabilities to anyone in the organization outside of bounty-hunters@glia.atlassian.net will result in a disqualification for a bounty for that report.
• Compliance with Laws: Participants must comply with all applicable local, state, national, and international laws and regulations in connection with their participation in this bug bounty program. Bounties are ineligible for individuals or entities in jurisdictions subject to sanctions by the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury.
• Data Privacy: Any access to, or handling of, user data should be minimized, and participants must avoid violating the privacy of any user, employee, or company data. Inadvertent or accidental violations of privacy (such as accessing account data, service configurations or other confidential information) must be disclosed in your report.
• Confidentiality: Participants agree not to disclose any information about vulnerabilities found, including but not limited to methods, data, and findings, to any third parties without express written consent from our company.  Any sensitive information acquired during the course of vulnerability research must be handled with the utmost care and should not be copied, altered, or destroyed. After a vulnerability has been resolved, any public disclosure of the vulnerability will be at Glia’s discretion.
• Safe Harbor: Activities conducted in a manner consistent with this program will be considered authorized conduct and we will not initiate legal action for such activities. However, we reserve the right to take legal action against participants who engage in unauthorized actions.
• Service Disruption and Malware: Activities must be conducted in a manner that avoids any service disruption or degradation. Testing should not impact other users or our services’ integrity. The introduction of malware or the use of automated tools or scripts for finding vulnerabilities is strictly prohibited.
• Automated Testing: The use of automated tools, scripts, or scanners is prohibited in this bug bounty program.  
• Reward Eligibility: Submissions must be original and previously unreported. Duplicate reports will not be eligible for a reward. We will review duplicate bugs to see if they provide additional information, but will otherwise only reward the first reporter.
• Payment Schedule: Bounties will be paid only after the reported vulnerability has been verified and fixed. We will inform the participant of the resolution timeline, and payment will be processed upon successful verification of the fix.
• Glia Discretion: Bounty rewards will be determined at Glia’s discretion. Bounty rewards are not guaranteed. We will endeavor to investigate and respond to all valid reports in a timely manner, but we prioritize evaluations based on risk and multiple other factors that may result in a delayed response.Glia reserves the right to modify the terms of the program or terminate the program at any time.

Bug Bounty Rewards

The following guidelines give you an idea of what we may pay out for different classes of bugs. Low-quality reports may be excluded entirely or rewarded below these tiers, so please make sure that there is a valid attack scenario with enough information for us to be able to reproduce your issue to qualify for a reward - we consider this to be a critical element of vulnerability research. Screenshots and videos are also helpful, but please make sure to not make these public before submitting them to follow our program’s rules.

There is no maximum reward - particularly creative or severe bugs will be rewarded accordingly. Depending on the severity of the bug, and the quality of your report, we may pay a lower-tier bug out at a higher level.

‍

Tier 3: Low Severity Bugs $200 and up

• Mixed content issues
• Tabnabbing
• Self-XSS (XSS requiring interaction other than browsing to exploit)
• Server misconfiguration or provisioning errors
• Information leaks or disclosure (excluding customer data)
• And other low-severity issues

Tier 2: Medium Severity Bugs $1000 and up

• Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF), except for in “sandbox” domains unless you can gain access to sensitive user data
• Broken Authentication affecting a organization
• Privilege Escalation affecting a single organization
• SSRF to an internal service, hosted by Glia Technologies (e.g. Applets)
• Information leaks or disclosure (including customer data)
• And other medium-severity issues

Tier 1: High Severity Bugs $2500 and up

• XSS

Tier 0: Critical Severity Bugs $5000 and up

• SQL Injection
• Remote Code Execution
• Privilege Escalation affecting all teams
• Broken Authentication affecting all teams
• SSRF to an internal service, with extremely critical impact (e.g. immediate and direct security risk)
• And other critical-severity issues
  

‍