🔒 Responsible Disclosure Program

Help Us Keep Knowledge Safe

We partner with security researchers worldwide to identify vulnerabilities and protect millions of learners, contributors, and experts. Find a bug? We'll reward you.

Submit a Report View Program Scope
Program Scope

What's Covered?

We welcome reports for vulnerabilities affecting our core platforms, APIs, and authenticated user environments.

In-Scope Targets

  • app.aevumencyclopedia.com
  • api.aevumencyclopedia.com (v1, v2)
  • docs.aevumencyclopedia.com
  • Aevum iOS & Android Applications
  • OAuth & SSO Authentication Flows
  • Contributor & Admin Dashboards

Out-of-Scope

  • 3rd-party payment/checkout processors
  • DDoS, brute-force, or volumetric attacks
  • Social engineering & phishing
  • Already publicly disclosed vulnerabilities
  • Automated scan reports without proof
  • Content scraping or availability issues
\n
Rewards

Severity & Payout Structure

Compensation is based on CVSS scoring, impact, and exploitability. All payouts are processed within 14 days of validation.

Severity Description CVSS Range Reward
Critical RCE, SQLi, Auth Bypass, Data Breach 9.0 - 10.0 $5,000 – $15,000
High XSS (stored), IDOR, Privilege Escalation 7.0 - 8.9 $2,000 – $5,000
Medium XSS (reflected), CSRF, Open Redirects 4.0 - 6.9 $500 – $2,000
Low Information disclosure, Rate limiting issues 0.1 - 3.9 $100 – $500
Info Best practice improvements, minor flaws - $0 – $100 / Swag
How It Works

Submission Lifecycle

Transparent, fast, and respectful. We treat researchers as partners, not adversaries.

Discover

Identify a vulnerability within our in-scope assets. Ensure you have permission to test.

Submit

File a detailed report via our secure portal. Include steps to reproduce, impact, and PoC.

Triage

Our security team acknowledges within 24 hours and validates severity within 72 hours.

Fix & Reward

Once patched and verified, you'll receive your payout via PayPal, Wise, or crypto (USDC/ETH).

Rules & Policies

Responsible Disclosure

📋 Submission Guidelines

  • Proof of ConceptRequired. Theoretical findings without PoC may be marked informational.
  • No Data ModificationDo not alter, delete, or exfiltrate user data during testing.
  • Safe TestingAutomated scans are allowed but must be rate-limited to avoid impact.
  • Clear CommunicationUse our secure form only. Do not contact engineers directly.

⚖️ Safe Harbor Policy

Aevum Encyclopedia will not initiate legal action against, or refer to law enforcement, anyone who attempts to access or disrupt our systems in good faith to identify vulnerabilities. We ask that you respect this policy and disclose findings responsibly through our official program channels.

FAQ

Frequently Asked Questions

How long does it take to get paid?
Once a vulnerability is validated and patched, payouts are processed within 14 business days. We support PayPal, Wise, and major cryptocurrencies for faster cross-border transactions.
Can I report a vulnerability found in a third-party library?
If the vulnerability directly impacts Aevum's infrastructure or user data through our use of the library, it may qualify. However, we prioritize bugs in our own codebase and configurations.
What happens if I don't agree with the severity rating?
You can request a review within 7 days of our decision. Our lead security engineer will reassess the finding against CVSS standards and provide a final determination.
Is public disclosure allowed?
We request a 90-day embargo before public disclosure to allow us to patch responsibly. After resolution and embargo, we welcome coordinated disclosure and will credit you.
Ready to Help?

Found a Vulnerability? Report It Now

Join thousands of ethical hackers helping us build a safer knowledge ecosystem for millions worldwide.

Submit Secure Report →
}