🎯 Bug Bounty Program Active
We partner with HackerOne to reward security researchers for responsibly disclosing vulnerabilities.
Submit Report on HackerOneBounty Rewards
| Severity | Reward | Examples |
|---|---|---|
| Critical | $5,000 - $10,000 | Remote code execution, data breach, complete system compromise |
| High | $2,500 - $5,000 | SQL injection, authentication bypass, privilege escalation |
| Medium | $500 - $2,500 | XSS, CSRF, information disclosure, IDOR |
| Low | $100 - $500 | Minor information leaks, weak security headers |
| Informational | Thank you | Findings that do not pose a security risk |
In Scope
The following assets are in scope for our bug bounty program:
- ✓api.blazecrawl.dev
- ✓dashboard.blazecrawl.dev
- ✓*.blazecrawl.dev
- ✓Mobile applications
- ✓Public APIs
Out of Scope
The following are not eligible for rewards:
- ✗Social engineering attacks
- ✗Physical security attacks
- ✗Denial of service attacks
- ✗Attacks on third-party services
- ✗Issues in third-party dependencies
- ✗Brute force attacks on authentication
- ✗Reports from automated tools without proof of exploitability
- ✗Missing security headers (without demonstrated risk)
- ✗Cookie flags on non-sensitive cookies
- ✗Content spoofing / text injection
Disclosure Policy
90-Day Disclosure Default
We ask that you give us 90 days to fix vulnerabilities before public disclosure. We prefer coordinated disclosure to protect our users.
Safe Harbor
Researchers acting in good faith are protected from legal action for discovering and reporting vulnerabilities.
Triage SLA
• Initial response: 24 hours
• Triage decision: 5 business days
• Fix timeline: Based on severity (Critical: 7 days, High: 30 days, Medium: 90 days)
Contact
For sensitive security issues that shouldn't be posted publicly:
- • Email: security@blazecrawl.dev
- • PGP Key: Available on request
- • HackerOne: hackerone.com/blazecrawl
security.txt
# BlazeCrawl Security Policy # https://blazecrawl.dev/.well-known/security.txt Contact: mailto:security@blazecrawl.dev Expires: 2027-04-28T00:00:00.000Z Encryption: https://blazecrawl.dev/pgp-key.txt Preferred-Languages: en Canonical: https://blazecrawl.dev/.well-known/security.txt Policy: https://blazecrawl.dev/vulnerability-disclosure HackerOne: https://hackerone.com/blazecrawl