Preview
Bug bounty (preview)
We're building a structured vulnerability disclosure program with clear scope, competitive bounties, and fast triage. This page outlines what's coming — bookmark it.
🗓️
Launching Q3 2026
Public submissions open July–September 2026. Private preview slots available for trusted researchers — reach out on Discord.
Planned scope
Loader & client
C++ loader, Themida-wrapped payload, auto-update pipeline, licensing handshake.
Dashboard & API
Next.js app on Vercel, Upstash KV, SellAuth webhooks, license activation flow.
Discord bot
License provisioning, role sync, webhook relay — any privilege escalation or injection.
Infrastructure
CDN integrity, signing verification, update manifest tampering, domain fronting bypass.
Bounty tiers
| Severity | Range | Example |
|---|---|---|
| Critical | $2,500 – $10,000 | RCE via update manifest, license auth bypass |
| High | $1,000 – $2,500 | AuthN bypass, privilege escalation, data exfil |
| Medium | $300 – $1,000 | CSRF on sensitive actions, IDOR, injection |
| Low | $100 – $300 | Info disclosure, missing security headers |
Rules (preliminary)
- 1No automated scanning that degrades service — rate-limit your tools.
- 2Do not access, modify, or exfiltrate other users' data beyond what's needed to demonstrate impact.
- 3First reporter gets the bounty — duplicates are closed with thanks.
- 4Public disclosure only after we've shipped a fix (90-day standard window).
- 5Social engineering, physical attacks, and denial-of-service are out of scope.
Want early access?
Trusted researchers can request a private preview slot. Join our Discord and open a ticket in #bug-bounty.
Join Discord