Appcharge Bug Bounty Program
At Appcharge, we’re committed to giving developers and players an experience they can count on—smooth, secure, and frustration-free. We continuously test, refine, and strengthen every part of our platform because trust is built on proactive improvement, not quick fixes.
Think you’ve spotted a vulnerability or discovered a way we can level-up our processes? Let us know! When your report qualifies for a bounty, we’ll jump on the fix and email you the reward amount and payout timeline.
Thanks for helping us keep Appcharge running at the top of the game. Happy hunting!
Rules of Engagement
We welcome detailed, reproducible reports that help us keep the Appcharge platform secure. Please read and follow these guidelines before submitting.
1. What to Include in Your Report
Submit the form below and be as specific as possible. A report without a working proof of concept (PoC) will be closed as Informational.
- URL or product where the issue occurs
- Bug category (e.g., XSS, IDOR, logic flaw)
- Step-by-step reproduction and validation steps
- Impact assessment – why this matters and what harm it could cause
- Your remediation suggestions
2. Testing & Conduct Guidelines
| Do | Don’t |
|---|---|
| Use only your own Appcharge test accounts. | Modify, delete, or exfiltrate data that isn’t yours. |
Limit automated tools to ≤ 15 requests/sec and set your User-Agent to appcharge-bugbounty-your-email@. | Run brute-force, denial-of-service, or resource-exhaustion attacks. |
| Probe our services responsibly. | Target Appcharge employees, customers, or facilities (no social engineering, phishing, or physical intrusion). |
Heads-up: Scans with high QPS trigger automatic blocks. Reinstatement can take time, so please configure it correctly.
3. After You Send the Bug Bounty Report
- You’ll receive an automated acknowledgment (and a request for extra details if needed).
- Our security team reviews and attempts to reproduce your report.
- If validated, we’ll confirm the finding, prioritize a fix, and update you on bounty eligibility.
Rewards & Severity
We align our payouts with the CVSS 3.1 severity scale. While the ranges below show the maximum typical reward for each level, final amounts are always at Appcharge’s discretion. Exceptional, well-documented findings may earn a bonus, while issues with onerous preconditions or strong compensating controls may be reduced.
| Severity | Reward (USD) |
|---|---|
| Critical | $1,000 – $2,000 |
| High | $800 |
| Medium | $500 |
| Low | $100 |
Duplicates & Root-Cause Overlap
- The first fully reproducible report wins the bounty.
- Several bugs stemming from one underlying flaw are treated as a single vulnerability (one payout).
Timing
We award bounties upon validation and keep you in the loop as we work through remediation. Some cases require extra analysis—if so, payment may follow a bit later.
Payment Options
We may choose to use one of these two ways to provide your bounty:
- PayPal – We’ll transfer the funds to your personal account. (You’ll need to confirm the account details belong to you.)
- Amazon Gift Card – We can email you an Amazon gift card for the full reward amount.
Report email submission
All reports should be sent here: bountyprogram@appcharge.com
Thanks for helping us keep the Appcharge ecosystem secure!