agwitness
Sign up

Bug Bounty

Responsible disclosure for researchers who help harden agwitness.

Responsible disclosure

We want to hear from you when something breaks our threat model. Clear reports get faster fixes—and coordinated disclosure protects everyone.

Email security@agwitness.comRead our security architecture →

Monetary rewards are being formalized. Until then, every valid report is acknowledged; we prioritize critical impact and will work with you on credit.

Rules of engagement

  • Test only your own accounts—or those you have explicit permission to use.
  • No destructive actions: no data deletion, no sustained load / DoS, no spam.
  • Give us reasonable time to remediate before any public disclosure.
  • Do not exfiltrate user data; a minimal proof-of-impact artifact is enough.

What to expect

Targets, not guarantees—exact timing depends on severity and engineering load.

First response

48h

Target acknowledgment window

Critical bugs

Fast

Prioritized triage when impact is severe

Disclosure

Coordinated

No public detail before fix ships

Credit

Optional

Hall of fame with your permission

Scope

In scope

Examples of what we care about most. If you are unsure, send a short note—we would rather triage than miss a real issue.

  • Auth & session flaws

    Bypass of Firebase session handling, Griffin Key misuse, or privilege escalation in the vault.

  • API & Brain abuse

    Injection, IDOR on deeds, rate-limit bypass, or authentication issues on notarization and proxy routes.

  • Cryptography & integrity

    Weaknesses in hash verification, deed tampering, or misleading verification UX that implies integrity falsely.

  • Web & client issues

    XSS, CSRF, or other high-impact browser vulnerabilities in agwitness web surfaces.

  • Data handling

    Unauthorized access to deeds or vault data, broken sharing-token semantics, or SSRF via webhooks.

Out of scope

Reports in these buckets are usually closed without bounty; we may still route you to the right vendor.

Social engineering

Phishing, pretexting, or physical access.

Third parties

Issues only in Stripe, Firebase console, or other vendors’ infra (report to them).

Noise & best-effort

Missing security headers with no exploit, typo spam, or DoS without prior agreement.

Automated scanning

Raw scanner output without a demonstrated impact chain.

Our process

From first email to resolution—transparent steps so you know what happens next.

  1. 01

    Report

    Email security@agwitness.com with reproduction steps, affected component, and impact. PGP available on request.

  2. 02

    Triage

    We acknowledge and classify severity. We may request a demo, logs, or a retest on a patched build.

  3. 03

    Fix & verify

    We develop and deploy a fix, then confirm with you before any public mention.

  4. 04

    Recognition

    With your consent we credit you in release notes or acknowledgments. Monetary rewards as the program matures.

Strong reports include

  • Clear title and one-paragraph summary
  • Steps to reproduce (commands, URLs, accounts used)
  • Impact: confidentiality, integrity, availability, or privacy
  • Screenshots or video only if they help—no giant attachments without notice

Questions about this page? security@agwitness.com