Responsible Disclosure & Bug Bounty
Version 1.0
Published: June 3, 2026
TL;DR — The Short Version
Found a security bug? Tell us and we'll fix it fast. Critical vulnerabilities earn up to $500. We won't sue you if you follow these guidelines. Report to security@skylina.polsia.app.
Critical
$500
RCE, auth bypass, data breach
High
$200
XSS, SQLi, CSRF, IDOR
Medium
$75
Info disclosure, weak crypto
Low
$25
Minor findings, best practices
1. In Scope
We Pay Bounties For
- Remote code execution (RCE)
- Authentication or authorization bypass
- SQL injection, command injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF) with real impact
- Insecure direct object references (IDOR)
- Server-side request forgery (SSRF)
- Unprotected API keys or secrets exposure
- Data breach or exfiltration via our systems
- Broken cryptographic implementations
Out of Scope
- Social engineering attacks
- Physical security testing
- Attacks on third-party services we integrate with
- UI/UX bugs (broken layouts, missing error messages)
- Informational findings (banner grabbing, tech version disclosure)
- Denial of service attacks (we'll test this ourselves)
- Issues in third-party dependencies we don't control
- Self-XSS (you inject into your own account)
- Issues already disclosed or known to us
2. Rules
- Report vulnerabilities privately — do not disclose publicly until we've fixed them (or 90 days, whichever is sooner)
- Do not access or modify other users' data or accounts
- Do not perform actions that degrade Skylina's service for others
- Use the minimum steps required to demonstrate the vulnerability
- Remove any test data you create; do not retain copies of user data
- Comply with applicable laws in your security research
- Respond to our requests for clarification within 7 days
3. Safe Harbor
You are protected. If you follow these guidelines, we will not pursue legal action against you related to your security research. Your report and findings will be kept confidential. We will credit you in our release notes unless you request otherwise.
4. Response Timeline
| Stage | Timeframe |
|---|
| Acknowledgment of report | Within 24 hours |
| Initial triage and classification | Within 3 business days |
| Severity assessment and bounty decision | Within 7 business days |
| Fix deployed (critical) | Within 7 days |
| Fix deployed (high) | Within 30 days |
| Public credit (if requested) | Next release after fix |
5. How to Report
Email security@skylina.polsia.app with:
- Description of the vulnerability
- Steps to reproduce (with proof of concept if possible)
- Impact assessment
- Your name/handle (for credit, if desired)
For critical vulnerabilities, also contact emergency@skylina.polsia.app.
6. Penetration Testing
Skylina conducts annual third-party penetration testing. The most recent penetration test was completed June 2026. Results are reviewed by the engineering team and remediation is tracked in our internal security queue. We publish a summary in our Transparency Report.
For enterprise security assessments requiring access to non-production environments, contact security@skylina.polsia.app.