Bug Bounty Program
Help us keep AryanIct.com services secure by responsibly reporting security vulnerabilities.
Report a VulnerabilityIntroduction
At AryanIct.com, security is a top priority. We welcome responsible disclosure from security researchers and the community to help us protect our customers, systems, and services.
Participation Requirements
- You will comply with all applicable laws and regulations.
- You will let us know as soon as possible following the discovery of a vulnerability.
- You will follow the disclosure guidelines defined below.
- You will avoid accessing, modifying, or deleting customer data.
- You will only test systems you own or have explicit permission to access.
- You will keep vulnerability details confidential until remediation is complete.
Responsible Disclosure Guidelines
Researchers should include:
- A clear description of the vulnerability.
- Affected URLs, services, or endpoints.
- Step-by-step reproduction instructions.
- Proof of concept, screenshots, or videos when applicable.
- The potential impact and severity assessment.
- Contact information for follow-up.
Email: [email protected]
Initial response target: Within 3 business days
What's Not Permitted
The following activities are prohibited:
- Accessing, downloading, modifying, or deleting customer data.
- Denial-of-service (DoS/DDoS) attacks.
- Social engineering, phishing, or impersonation.
- Physical attacks against infrastructure or personnel.
- Spam, automated scanning that impacts availability, or excessive traffic generation.
- Malware, ransomware, or malicious payload deployment.
- Testing third-party services or customer environments.
- Public disclosure before written approval.
- Exploiting a vulnerability beyond what is necessary to prove its existence.
Reward Guidelines
| Severity | Reward |
|---|---|
| Low | Up to $100 |
| Medium | Up to $250 |
| High | $500 – $750 |
| Critical | $1,500+ |
Reward amounts are determined based on severity, exploitability, impact, report quality, and whether the issue is previously known.
Non-Qualifying Bugs
- Missing security headers without a demonstrable impact.
- Outdated software versions without a proven exploit.
- Rate limiting issues without abuse scenarios.
- Self-XSS that only affects the reporter.
- Clickjacking on pages without sensitive actions.
- Missing HttpOnly, Secure, or SameSite flags without exploitability.
- Best-practice recommendations without a security impact.
- Reports generated solely by automated scanners.
- Duplicate reports.
- Vulnerabilities in third-party services outside our control.
- Issues requiring unrealistic user interaction.
Safe Harbor
We will not pursue legal action against researchers who act in good faith, comply with this policy, avoid privacy violations, and promptly report vulnerabilities.