Skip to content

Security Exploit Bounty Program

Responsible Disclosure

Security of user data and communication is of utmost importance to us. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Steady. Principles of responsible disclosure include, but are not limited to:

  • Accessing or exposing only customer data that is your own.
  • Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site).
  • Keeping within the guidelines of our Terms Of Service.
  • Keeping details of vulnerabilities secret until we’ve been notified and had a reasonable amount of time to fix the vulnerability.
  • In order to be eligible for a bounty, your submission must be accepted as valid by our team. We use the following guidelines to determine the validity of requests and the reward compensation offered.


Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.


More severe bugs will be met with greater rewards. We are most interested in vulnerabilities within Other subdomains of Steady are generally not eligible for rewards unless the reported vulnerability somehow affects customer data. In general, bug bounty rewards are only issued for global vulnerabilities. This means bug bounties are not issued for vulnerabilities that are isolated to teams a user is on.

Examples of Qualifying Vulnerabilities

  • Authentication flaws
  • Circumvention of our Platform/Privacy permissions model
  • Clickjacking
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF/XSRF)
  • Mixed-content scripts
  • Server-side code execution

Examples of Non-Qualifying Vulnerabilities

  • Denial of Service vulnerabilities (DOS)
  • Possibilities to send malicious links to people you know
  • Security bugs in third-party websites that we integrate with
  • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
  • Vulnerability that is isolated to only a user’s teams

Rewards and Notes

  • Only 1 bounty will be awarded per vulnerability.
  • If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
  • We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.
  • To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and we reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.
  • Our system will automatically delete accounts that are suspicious and attempting to use obvious known exploits.
  • We’re only able to respond to reports in which a new or unknown vulnerability is found.


If you’re not a Steady customer, please contact us and get our written permission before beginning testing. You must use credentials we provide for this purpose. Our system will automatically delete accounts that are suspicious and attempting to use obvious known exploits.

If you’re ready to file a report, please use this form.