icon picker
Co:Create Bug Bounty

Bug Bounty

Co:Create Bug Bounty Program

We take security issues very seriously and appreciate your responsible approach to disclosing these vulnerabilities privately to us at
We would like to kindly inform you that our company has a bug bounty program specifically designed for white hat hackers who responsibly disclose vulnerabilities like the ones you have found. If eligible for a reward, we have a $100 minimum bounty for every bug that we determine has a valid impact on our system's security.
The scope of the bug bounty would be our API Platform:

We do not own Please do not submit reports for vulnerabilities.

Program Rules

Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.


In order to be eligible for a bounty, you must meet the following requirements:
You must be the first reporter of the vulnerability and report it at
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue
No vulnerability disclosure is allowed without express consent from Co:Create. This rule applies to any vulnerability details as well as information obtained during exploitation even for resolved issues
We may request up to 60 days of additional time after the disclosure request or report resolution to remediate the issue. This time is usually required to distribute the fixed version among our customers
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Vulnerability must have a clearly identified security impact and be presented with enough information for investigation and reproduction by the Co:Create team


Any vulnerabilities reported with the following criteria are not eligible for a bounty:
Affecting an ineligible scope
Bugs caused by a third-party platform or website that our application is using
Only affecting outdated browsers/platforms
Only affecting the executing user (self-XSS and similar)
Caused by misbehaving third-party software/website
Applicable only through social engineering
Pretense being you already have access to an affected account (or user's browser)
Vulnerabilities considered by Co:Create to be of low severity
Reward Determination

Co:Create will determine at its own discretion whether a reward should be granted and the amount of the reward. Depending on their impact, not all reported issues qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis.

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
) instead.