Updated May 24, 2023
Responsible Disclosure Policy
Security is a top priority for Pipe and we believe that working with skilled security researchers can identify weaknesses in any technology. To recognize their efforts and the important role they play in keeping Pipe and our users safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please review the rules of engagement as well as how to participate in our private bug bounty program with HackerOne.
If you believe you’ve discovered a potential vulnerability or are interested in working with us to find potential vulnerabilities, please read the Responsible Disclosure policy below. By submitting vulnerability reports you agree that you’ve read, understood, and will follow our Responsible Disclosure Policy.
Rules of Engagement
Be careful with sensitive information. If sensitive information such as personal information or user credentials are uncovered as part of your research, stop and report it to us immediately. Do not save, store, copy, or otherwise retain sensitive information, and work with us on any additional requests we may have.
Test responsibly. Only interact with and test bugs against accounts you own. Reach out to us if you need help with testing cross-account issues. Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope. Keep the details of any discovered vulnerabilities confidential until they are authorized for release by the Pipe security team.
Do not cause harm. Do not engage in activities that disrupt, damage, or otherwise cause harm to or defraud Pipe, our users, our employees, or our brand — including denial of service attacks, social engineering, phishing, spam, social media scams, fraudulent transactions, or physical attacks.
Violation of any of our Rules of Engagement may result in (but is not limited to) ineligibility for a bounty and/or permanent disqualification from receiving a bounty for future vulnerability reports.
Reporting & Bug Bounty Program
Pipe operates a private bug vulnerability disclosure and bounty program with HackerOne. Our HackerOne program describes in more detail what systems and behaviors are in scope of the program.
If you would like to participate in our bug bounty program, please email firstname.lastname@example.org with your HackerOne username or email address. A member of our security team will invite you within 2 business days.