Security & Responsible Disclosure
BountyDesk is built for bug bounty hunters. So obviously, our own security has to be solid. If you find a vulnerability, we want to hear from you.
What we offer
I'm a solo developer bootstrapping this. I can't pay cash bounties yet, but for every valid security report you'll get:
- Public credit in the Hall of Fame below
- Free BountyDesk Pro for life
- A genuine thank-you note from the founder
- An X / LinkedIn shoutout (with your permission)
- Backpay promise: when BountyDesk becomes profitable, verified reports from this period will be retro-paid.
How to report
Email kartikeykushagra8@gmail.com with the subject line starting [SECURITY].
Please include: a clear description, reproduction steps, impact, and (if possible) a suggested fix.
In scope
bountydesk.vercel.appand any future custom domain- Authentication, authorization, IDOR, privilege escalation
- Payment / billing manipulation (Paddle webhook, plan changes)
- Data leakage between users (RLS bypass)
- XSS, CSRF, SSRF, injection attacks
Out of scope
- Denial of Service (DoS / DDoS)
- Brute-force or rate-limit testing
- Social engineering
- Spam / mass account creation
- Bugs in third-party services (Vercel, Supabase, Paddle)
- Missing security headers without demonstrated exploitability
- Self-XSS or issues requiring physical access
Ground rules
- Don't access, modify, or delete other users' data
- Don't publicly disclose before we've had a chance to fix
- Use test accounts you create yourself (signup is free)
- We aim to respond within 48 hours and resolve high-severity issues within 7 days
Hall of Fame
Researchers who helped make BountyDesk safer:
Be the first — find a bug, get listed here.