🔒 Responsible Disclosure Program

Security Researcher Program

Help us secure Admin's infrastructure. Report vulnerabilities responsibly, collaborate with our security team, and earn rewards for valid findings.

Submit a Report → View In-Scope Assets

How It Works

A transparent, researcher-friendly process designed to reward responsible disclosure and improve our security posture.

🔍

1. Identify

Test only in-scope assets. Follow our guidelines to avoid disrupting production or accessing unauthorized data.

📤

2. Submit

Report via our secure portal or email. Include steps to reproduce, impact analysis, and proof of concept.

🏆

3. Reward

Our security team triages within 48 hours. Valid reports are rewarded based on severity and impact.

In-Scope Assets

AssetType
WEB app.admin.comWeb Application
API api.admin.com/v2/*REST API
AUTH auth.admin.comIdentity Provider
MOBILE Admin iOS/Android AppsMobile Clients
DNS *.admin.comInfrastructure

Out-of-Scope

CategoryDetails
DOSEDenial of Service / Availability attacks
SOCSocial engineering / Phishing
THIRDCDNs, Payment gateways, Third-party scripts
PHYSPhysical security / Hardware
LOWSelf-XSS, Missing security headers (low risk)

Reward Structure

Payouts are determined by CVSS scoring, real-world impact, and exploit complexity. All rewards are paid via bank transfer or cryptocurrency upon verification.

🔴 Critical $5,000 – $15,000
🟠 High $2,000 – $5,000
🟡 Medium $500 – $2,000
🟢 Low / Info $100 – $500

* Bulk reports of the same class are consolidated. Duplicate reports are acknowledged but not rewarded.

Rules & Guidelines

We value responsible disclosure. Follow these guidelines to ensure your research is safe, legal, and rewarded.

✅ Do's

  • Test only within in-scope domains and assets
  • Submit reports through official channels only
  • Provide clear reproduction steps and PoC
  • Allow us 90 days to remediate before public disclosure
  • Use isolated accounts/test environments when possible

🚫 Don'ts

  • Access, modify, or exfiltrate production data
  • Run automated scanners that cause high traffic/load
  • Perform Denial of Service or physical attacks
  • Exploit vulnerabilities to demonstrate impact destructively
  • Disclose findings publicly before we've had time to patch
⚖️

Safe Harbor Policy

We will not pursue legal action against researchers who act in good faith and follow these guidelines. Your cooperation and responsible disclosure are valued and protected.

Submit a Vulnerability

Send your report to our dedicated security inbox. Include a detailed description, steps to reproduce, impact assessment, and any relevant screenshots or PoC code.

📧 security@admin.com

Encryption optional: PGP Key ID: 0x8A4F2C91 | Response time: < 48 hours

Frequently Asked Questions

How quickly will I hear back?
We aim to acknowledge all reports within 24-48 hours. Triage and validation typically take 3-5 business days. You'll receive regular updates until resolution.
Can I test third-party services or dependencies?
No. Only assets explicitly listed in the In-Scope table are eligible. Testing third-party infrastructure violates our guidelines and may disqualify the report.
What happens if my report is a duplicate?
We'll acknowledge your submission, share the resolution timeline, and credit you publicly (with permission). Duplicate reports aren't rewarded, but we appreciate the effort.
How are payouts processed?
After validation and patching, payouts are processed within 10 business days via bank transfer, PayPal, or major cryptocurrencies. Taxes are the researcher's responsibility.