Cappasity Bug Bounty program
If you believe you have found a security vulnerability or software bug, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.
Products and services:
- Software: Easy 3D Scan for Windows
- Software: Easy 3D Scan for macOS
- API: api.cappasity.com
- Website: 3d.cappasity.com
Pricing model (security bugs / software bugs (upd: 7/3/2018):
P1: Critical — 15,000 CAPP / 10,000 CAPP
P2: High — 10,000 CAPP / 6,000 CAPP
P3: Medium — 4,000 CAPP / 2000 CAPP
P4: Low — 2000 CAPP / 1000 CAPP
P5: Informational — 0 CAPP
Responsible Disclosure Policy for Security Issues
If you comply with the policies below when reporting a security issue to Cappasity, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. We ask that:
- You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
- You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
- You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
- For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.
Bug Bounty Program Terms
CAPP bounties for bug reports are entirely at Cappasity’s discretion, based on risk, impact, and other factors. To potentially qualify for a bounty, you first need to meet the following requirements:
- Adhere to our Responsible Disclosure Policy (see above).
- Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk. (Note that Cappasity ultimately determines the risk of an issue, and that many software bugs are not security issues.)
- Report a software bug: text describing, step by step, the minimum amount of actions required to reproduce the bug. Screenshots.
- Your report must describe a problem involving one the products or services listed under “Products and Services” (see above).
- Submit your report via email email@example.com (one issue per email). Please do not contact employees directly or through other channels about a report. Please use Dropbox to send big attachments.
- If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, you must disclose this in your report.
- We investigate and respond to all valid reports. Due to the volume of reports we receive, though, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.
- We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. Note that extremely low-risk issues may not qualify for a bounty at all.
- We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.
- In the event of duplicate reports, we award a bounty to the first person to submit an issue. (Cappasity determines duplicates and may not share details on the other reports.) A given bounty is only paid to one individual.
- We reserve the right to publish reports (and accompanying updates).
- We publish a list of researchers who have submitted valid reports.
Our bug bounty program is not a contest or competition. It is an experimental and discretionary rewards program. We may modify the terms of this program or terminate this program at any time without notice. All decisions as to the amount and type of rewards that may be issued, the method of payment (for monetary rewards), and whether or not any reported issue constitutes a significant risk or is eligible for a reward, will be determined at Cappasity’s complete discretion in each case.
We only issue rewards to individuals, and may require a completed and signed U.S. form W-9 or W-8BEN as applicable. We typically issue monetary rewards by Paypal or check, and require your full name and appropriate contact information. You are responsible for any tax implications of any reward you receive and must comply with all tax laws applicable to any rewards that we may issue you. We cannot issue rewards to individuals who are on sanctions lists, or who are located in countries (e.g. Cuba, Iran, North Korea, Sudan or Syria) that are on sanctions lists. You must comply with all applicable local, state, national, and international laws, rules, and regulations in connection with your participation in this program. Your participation in this program must not disrupt or compromise any data that does not belong to you.