Webpeaker Bug Bounty Program
Webpeaker is committed to building a secure platform and values the contributions of security researchers and ethical hackers who help keep our community safe. This page outlines our policies for vulnerability disclosure and rewards.
Purpose of the Program
We launched this bug bounty program to strengthen our defenses and collaborate with the global security community. Our users trust us to safeguard their data, and we welcome your efforts in helping us maintain that trust.
What We Offer
- Official certificate or letter of appreciation for valid reports
- Public recognition in our Hall of Fame (with your permission)
- Early access to future security-related initiatives or features
Scope of Testing
In-Scope Targets
- Main domain:
https://webpeaker.com - All public-facing subdomains under
*.webpeaker.com - Authentication systems and login flows
- Admin interfaces, dashboard, and user profile functionality
- Any REST APIs exposed on our main or subdomains
Out-of-Scope Targets
- Third-party services not managed by Webpeaker
- Denial of Service (DoS), brute-force, or spam-based attacks
- Social engineering attempts
- Clickjacking on non-sensitive pages
- Best practice suggestions without real-world impact
Severity Levels
Critical
Includes remote code execution, unauthorized admin access, and full database exposure.
High
Includes authentication bypass, stored XSS, sensitive user data leaks.
Medium
Includes CSRF, reflected XSS, open redirect with potential phishing risk.
Low
Clickjacking, missing headers, outdated libraries without exploitation path.
How to Submit a Report
Send your report to security@webpeaker.com with the following details:
- Affected URL or endpoint
- Type and impact of the vulnerability
- Step-by-step reproduction guide
- Proof-of-concept (screenshots, links, or code)
- Any suggested fix or recommendation
Response Timeline
- Acknowledgment: Within 48 hours of receiving your report
- Initial triage: 3–5 business days
- Fix timeline: Depends on severity (typically 7–21 days)
Responsible Disclosure Policy
- Do not disclose issues publicly until we resolve them
- Do not exploit the issue beyond proof-of-concept
- Do not access or modify user data during testing
- Only use your own accounts during testing
Safe Harbor
Webpeaker pledges not to pursue legal action against security researchers who act in good faith and follow this policy. We are on your side and appreciate your contributions to a safer web.
Eligibility and Rules
- Open to individuals worldwide (no age or nationality restriction)
- Only the first report of a specific issue is eligible for acknowledgment
- Must follow all applicable local laws and ethical guidelines
Hall of Fame
Researchers who responsibly disclose valid vulnerabilities will be listed on our Hall of Fame page. If you’d like to stay anonymous, just let us know in your submission.
Closing Notes
Security is a shared responsibility. By reporting vulnerabilities, you help make Webpeaker a safer place for everyone. We deeply value the work of researchers like you.
Thank you,
Webpeaker Security Team