Waitlist Open

Bug Bounty Program

Vanishd's core value proposition is trust. We invite security researchers, white-hat hackers, and the broader community to help us find and responsibly disclose vulnerabilities before anyone else does.

🔒

Program Status: Waitlist

We are building out our formal bug bounty program. In the meantime, we are actively accepting responsible disclosures and will recognize significant findings with public credit and our genuine appreciation. Join the waitlist to be notified when the formal program launches — including paid bounties and structured engagement windows.

Join the Waitlist

Be the first to know when our formal program launches. We'll notify you with scope, rules of engagement, bounty amounts, and engagement windows.

No spam. Unsubscribe at any time. We use Resend for email delivery.

What We're Looking For

In Scope

✓Authentication bypass (NextAuth, Internet Identity, Google OAuth)
✓ICP canister logic flaws (authorization, billing, data integrity)
✓API route injection or privilege escalation
✓Stripe webhook signature bypass
✓XSS, CSRF, session fixation on vanishd.io
✓SDK cryptographic issues or key handling flaws
✓Receipt forgery or Merkle proof manipulation
✓Rate limit bypass or account takeover

Out of Scope

✗DDoS / volumetric attacks (handled separately — see below)
✗Social engineering of Vanishd staff
✗Physical attacks
✗Vulnerabilities in Stripe, Vercel, Resend, or Sentry directly
✗Self-XSS or issues requiring existing admin access
✗Automated scanner output without proof of exploitability

⚡

Resilience Testing Track

Separate from the vulnerability program, we plan to run structured load testing and resilience challenges — think "try to slow us down" engagement windows with defined rules of engagement, time windows, and recognition for participants who surface real bottlenecks. This will be coordinated through a formal platform.

Join the waitlist above to be notified when this track opens.

Platforms

When the formal program launches, we plan to use one or more of the following established bug bounty platforms. Researchers on these platforms will be able to engage with defined scope, bounty amounts, and timelines.

HackerOne

Industry-standard platform used by thousands of companies. Structured triage, CVE assignment, and coordinated disclosure.

Bugcrowd

Crowdsourced security testing with managed triage and a large researcher community.

Intigriti

European-based platform with strong community and structured engagement programs.

Rules of Engagement

01Do not access, modify, or exfiltrate data belonging to other users.

02Do not perform attacks that degrade service availability for real users (DDoS is out of scope for the vulnerability track).

03Do not use automated scanners against production without prior written approval.

04Report findings privately before any public disclosure — give us time to fix it.

05Do not test against production accounts you do not own. We will provide test accounts on request.

06Act in good faith. We will do the same.

Report a Vulnerability Now

The formal program isn't live yet, but we are actively accepting responsible disclosures today. Use GitHub's private security advisory system — it's confidential and the preferred channel.

GitHub Security Advisory opsec@vanishd.io

We respond within 72 hours. See our full SECURITY.md for the complete disclosure policy.

Recognition

We do not currently have a paid bounty program. Researchers who responsibly disclose valid vulnerabilities will receive:

🏆

Public Credit

Named in our security advisories and changelog (with your permission).

🤝

Direct Engagement

Direct communication with the team — no ticket queues.

💰

Future Bounties

Priority access and retroactive consideration when the paid program launches.