altilly Bug Bounty Program


We will pay you for reporting valid security issues on altilly.com


Rules for you

Don't attempt to gain access to another user's account or data.

Don't perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.

Don't publicly disclose a bug before it has been fixed.

Only test for vulnerabilities on sites you know to be operated by altilly. We use other services for customer support and those websites should not be tested.

Don't use scanners or automated tools to find vulnerabilities. They're noisy and your IP address will probably get banned.

Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

When in doubt, contact us via the support ticket system.


Rules for us

We will respond as quickly as possible to your submission.

We will keep you updated as we work to fix the bug you submitted.

We will not take legal action against you if you play by the rules.


What does not qualify

Bugs that don't affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.

Bugs requiring exceedingly unlikely user interaction.

Insecure cookie settings for non-sensitive cookies.

Disclosure of public information and information that does not present significant risk.

Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.

Bugs in content/services that are not owned/operated by altilly. This includes third party services operating on subdomains of altilly.com.

Vulnerabilities that altilly determines to be an accepted risk will not be eligible for a paid bounty.

Scripting or other automation and brute forcing of intended functionality.

When in doubt, contact us via the support ticket system.


Rewards range from $25 up to $10,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

Severity classifications. We will classify your report into one of the following severity classifications:

ClassificationTypical BountyDescription
No Bug$0If we determine it to be something that cannot effect a customer
Very Low$25Minimal effect to customer - no fund loss.
Low$50Minimal effect to customer - possible account actions, but no fund loss
Medium-Low$100Medium to low effect to a targeted customer, but does not necessarily effect all
Medium$250Medium effect to a targeted customer, but does not necessarily effect all
Medium-High$250 - $500Medium to high effect to a targeted customer, but does not necessarily effect all
High$500 - $1500Effects all customers or the integrity of our system and/or data
Very High$1500 - $5000Effects all customers or the integrity of our system and/or data
Critical$5000 - $10000Effects all customers or the integrity of our system and/or data

You can report your bugs via our customer support ticket system. Please make sure to include "Bug Bounty" in the subject of your ticket.