About Our Bug Bounty Program
At NiceHatCRM, we believe in the power of community-driven security.
Our Bug Bounty Program invites security researchers, ethical hackers, and technology enthusiasts to help us identify potential security vulnerabilities in our platform. We value your expertise and are committed to working with you to address any findings promptly and thoroughly.
This program is designed to create a safe, collaborative environment for responsible disclosure while recognizing and rewarding the valuable contributions of security researchers.
Program Status: Active
Our Bug Bounty Program is currently active and accepting submissions. Last updated: April 07, 2025
Program Scope
In Scope
The following domains and applications are covered by our Bug Bounty Program:
*.nicehatcrm.com- All subdomains of nicehatcrm.com- NiceHatCRM web application
- NiceHatCRM API endpoints
- NiceHatCRM mobile applications (iOS and Android)
- NiceHatCRM desktop applications
Out of Scope
The following are not part of our Bug Bounty Program:
- Third-party services or websites that integrate with NiceHatCRM
- Physical security vulnerabilities
- Social engineering attacks against NiceHatCRM employees
- Denial of Service (DoS) attacks
- Issues requiring physical access to a user's device
- Issues affecting users running outdated browsers or operating systems
- Subdomain takeovers of unused or unregistered subdomains
Important Notice
Please do not test against production systems with actual customer data. We provide a dedicated sandbox environment for security researchers at sandbox.nicehatcrm.com.
Eligible Vulnerability Types
We're particularly interested in the following types of vulnerabilities:
| Vulnerability Type | Description | Severity |
|---|---|---|
| Remote Code Execution (RCE) | Ability to execute arbitrary code on our servers | Critical |
| SQL Injection | Ability to execute arbitrary SQL queries against our databases | Critical |
| Authentication Bypass | Ability to bypass authentication mechanisms | Critical |
| Server-Side Request Forgery (SSRF) | Ability to make server-side requests to internal resources | Critical |
| Cross-Site Scripting (XSS) | Ability to execute arbitrary JavaScript in a user's browser | High |
| Cross-Site Request Forgery (CSRF) | Ability to perform actions on behalf of another user | High |
| Information Disclosure | Exposure of sensitive information | High |
| Broken Access Control | Ability to access resources or perform actions without proper authorization | High |
| Open Redirects | Ability to redirect users to arbitrary external domains | Medium |
| Security Misconfigurations | Insecure default configurations, incomplete setups, or exposed error messages | Medium |
This is not an exhaustive list. We welcome reports on other security vulnerabilities that could impact the security of our platform or our users.
Rewards
We offer monetary rewards based on the severity and impact of the vulnerability. Our reward structure is as follows:
| Severity | Reward Range |
|---|---|
| Critical | $5,000 - $10,000 |
| High | $1,000 - $5,000 |
| Medium | $500 - $1,000 |
| Low | $100 - $500 |
Bonus Rewards
We offer additional bonuses for exceptional reports with clear proof of concepts, detailed impact assessments, and suggested remediation steps. We also maintain a public Hall of Fame for our top contributors.
Severity Assessment
We determine the severity of a vulnerability based on the Common Vulnerability Scoring System (CVSS) and our assessment of the potential impact on our systems and users.
Submission Process
How to Submit
To submit a vulnerability report, please follow these steps:
- Send an email to security@nicehatcrm.com with the subject line "Bug Bounty Submission: [Brief Description]"
- For sensitive reports, you can use our PGP key available at nicehatcrm.com/security/pgp-key.asc
- Alternatively, you can use our secure submission form on this page
What to Include
A complete submission should include:
- A clear description of the vulnerability
- Steps to reproduce the issue (including any tools or scripts used)
- Proof of concept (screenshots, videos, or code)
- Impact assessment
- Suggested remediation or mitigation steps (if applicable)
- Your name and contact information for follow-up and reward processing
Sample Report Format
Title: [Vulnerability Type] in [Affected Component]
Description:
[Detailed explanation of the vulnerability]
Steps to Reproduce:
1. [First step]
2. [Second step]
3. [And so on...]
Impact:
[Explanation of the potential impact]
Suggested Fix:
[Your recommendations for addressing the issue]
Additional Information:
[Any other relevant details]Secure Submission Form
Rules and Guidelines
Do's
- Provide detailed reports with clear reproduction steps
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- Use the dedicated sandbox environment for testing
- Allow reasonable time for us to respond before disclosing any information publicly
- Keep information about any vulnerabilities you've discovered confidential until they are fixed
Don'ts
- Perform any testing on production systems with actual customer data
- Engage in social engineering attacks against our employees
- Execute Denial of Service attacks
- Access, modify, or delete data that does not belong to you
- Use automated vulnerability scanners without prior approval
- Share access to the sandbox environment with others
Legal Safe Harbor
We will not pursue legal action against you for security research conducted in accordance with these guidelines. However, this does not grant permission to violate any other applicable laws or regulations.
Hall of Fame
We'd like to thank the following security researchers for their valuable contributions to our Bug Bounty Program:
Alex Johnson
@alexj_security
5 Critical Findings
Maria Rodriguez
@maria_infosec
8 High Findings
David Kim
@dkim_security
12 Medium Findings