<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1349950302381848&amp;ev=PageView&amp;noscript=1">

Take the first step toward your AI-powered intranet Watch Happeo demo →

Bug Bounty Program

Happeo looks forward to working with the security community to find vulnerabilities in order to keep our customers and users safe. Our Bug Bounty Program outlines how security researchers can report vulnerabilities to us and what to expect when participating.

At Happeo, we take the security of our platform and our users seriously, and we commit to a vulnerability disclosure process by:

  • Acknowledging receipt of vulnerability reports promptly
  • Providing timely updates on the status of reported vulnerabilities
  • Giving appropriate reward and recognition to security researchers who help improve our security
  • Working with researchers to understand and remediate vulnerabilities

Thank you for helping keep Happeo and our users safe!

Disclosure Principles

We ask all participants to adhere to these five core principles:

  1. Do no harm. Use minimally invasive methods to verify vulnerabilities and avoid actions that could damage systems, disrupt services, or compromise user data.
  2. Respect privacy. Avoid accessing, modifying, or exfiltrating personal data; immediately stop and report if you encounter sensitive information.
  3. Stay in scope. Conduct testing only within authorized systems and seek explicit permission before expanding your activities.
  4. Disclose responsibly. Report vulnerabilities directly to us with complete information and respond to requests for clarification.
  5. Exercise patience. Allow reasonable time for assessment and remediation before requesting status updates.

 

Program Rules

  1. As this is a private program, please do not discuss this program or any (open or resolved) vulnerabilities outside of the program without express consent from the organization.
  2. Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  3. Only interact with accounts and services you own or with explicit permission of the account holder.
  4. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  5. Please provide detailed reports with reproducible steps of an exploit or proof of concept.
  6. Do not submit videos unless your attack is not possible to describe in writing (and with screenshots if need be). If you submit a video, include a written description, including reproduction steps, and observed issues.
  7. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  8. If the same vulnerability affects multiple parts of the product, please let us know in a single report. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty, however we'll take into consideration the number of affected parts of the product when assessing severity.
  9. When duplicates occur, we only award the first report that was received.

 

Scope

The Happeo application and APIs, aside from the exclusions listed below, are in scope for this program.

The following areas are out of scope:

Exclusions

  1. Reports that we are unable to reproduce.
  2. Reports that are simply the output from an automated security scanner. Feel free to use security scanners, but please don't copy-paste their output into our program without additional insight. If you can't produce an attack, even a hypothetical one, we are unlikely to award a bounty.
  3. Duplicate reports. A report is a duplicate if we have another report for the issue or if our other security review processes have already identified the issue.
  4. A specific vulnerable behavior found in one part of Happeo is not necessarily eligible for a bounty if an identical problem is uncovered in another part of the Happeo, though we'll assess this on a case-by-case basis.
  5. Happeo uses several third-party services. If they have vulnerabilities, we'd like to know. We can't guarantee a bounty for those but we encourage you to report issues to both us and the third party. If the vulnerability might reasonably affect our users, we may at our discretion grant a bounty as determined on a case-by-case basis.

Getting Started

Happeo offers a 14-day free trial on sign-up. Additional credits can be requested through support@happeo.com.

Additional Resources

Submissions

Please submit your findings using this form.

Rewards

We reward bounties based on severity, using the CVSS calculator as a guideline and considering the context within our application.

Severity

Reward

Critical

$2500

High

$500

Medium

$300

Low

$150

Payments

Payments are conducted as bank transfers within the Single Euro Payments Area (SEPA) or international bank (wire) transfers outside the SEPA. We are not able to use checks, cryptocurrencies, or use any other money transfer services. The payment recipient is responsible for all charges or fees levied on the transfer, and for accessing the funds after transferral. Payments are by default done in Euros (EUR), and any currency conversions are completed at the current bank rate.

The recipient is liable for any taxes. If you are taxed in Finland, we are required to collect the withholding tax, and we require your personal ID number and, optionally, your taxation certificate for the current year.

We are required to report all individual researchers’ bounties to the Finnish Tax Administration regardless of where you live. In order to do this, and to actually pay, we will require your full name, date of birth and a current physical mail address, and your bank (wire) transfer details. If you have a company, we may request that you invoice us instead.

These identification requirements are imposed on us by authorities, and there are no exceptions. In addition, payments are not made to countries or jurisdictions that are under embargo, or to persons or entities on a sanctions list.