Table of Contents

Overview

In an attempt to bring stronger transparency to our customers, we are opening up a security Bug Bounty.

Scope and Reporting

This is a black box test against our production environment. In order to have your vulnerability verified, you will need to send the report to [email protected]. Please make sure the subject is clear that this is a bug bounty request (e.g., Bug Bounty: XSS found in site). All findings MUST include:

• Repeatable, programmatic ways for the internal team to replicate and validate
• Vulnerability title, summary, and walkthrough
• All reports in English

In Scope

• golden.com

Ensure that you adhere to Amazon’s Penetration Testing Policy.

Not in Scope

• Denial of Service (DoS/DDoS) style of attacks. If you believe you may have a DoS-related vulnerability then email [email protected] and we will work with internal testing or give you a specific time frame to test.
• Social Engineering style of attacks. This includes anything that would require another user to be coerced into navigating to or interacting with an “attack”. Examples include:
  • Phishing
  • Web Site Spoofing
  • Link Manipulation. (e.g., changing an “l” to a “1” in a url to deceive a user)
• Brute force style attacks. This primarily focuses on gaining access to user’s accounts.
• Accessing another user’s data by any means. If you need to test an exploit that will interact with another user then set up a second user account for testing or reach out to [email protected] if you need specific testing requirements.

Payouts

We do not solely focus on severity ratings (e.g., CVSS) for a vulnerability. We focus on business impact of the vulnerability. Findings are rewarded on a first come basis. We break this down into three (3) payout categories where each category has a max payout.

Critical Max Payout: $10k