[🐛 Security]
Bug Bounty Program.
Help us find vulnerabilities and earn rewards. SpacePe's responsible disclosure and security researcher reward program - because the best security comes from the community.
🎯
Scope of Testing
Assets eligible for security testing.
✓SpacePe web application (app.spacepe.io) - all authenticated and unauthenticated functionality including dashboard, invoicing, payments, and admin panels
✓SpacePe API endpoints (api.spacepe.io) - all documented and undocumented endpoints, including authentication, payment processing, and webhook delivery
✓Authentication, authorization, and session management systems - SSO integrations, MFA flows, API key issuance, RBAC enforcement, and token lifecycle
✓Payment processing, fund transfer, and settlement flows - IMPS/NEFT/RTGS/UPI payment initiation, approval workflows, bulk payments, and virtual account operations
✓Data encryption at rest and in transit, key management, and certificate handling across all platform services
✓Mobile-responsive web application interfaces, WebSocket connections, and real-time notification delivery channels
🏆
Bounty Rewards
Reward tiers based on CVSS severity scoring and business impact.
✓Critical (CVSS 9.0-10.0) - Remote code execution, authentication bypass enabling fund theft, mass data exfiltration of financial records: ₹50,000 - ₹2,00,000
✓High (CVSS 7.0-8.9) - Stored XSS in financial contexts, IDOR accessing other customers' financial data, privilege escalation to admin roles: ₹20,000 - ₹50,000
✓Medium (CVSS 4.0-6.9) - CSRF on sensitive financial actions, information disclosure of PII or transaction data, business logic bypass: ₹5,000 - ₹20,000
✓Low (CVSS 0.1-3.9) - Reflected XSS, missing security headers on non-sensitive pages, verbose error messages leaking stack traces: ₹1,000 - ₹5,000
✓Bounty rewards paid within 30 calendar days of verified report acceptance via NEFT to researcher's Indian bank account or international wire for non-resident researchers
✓Top-ranked researchers featured on our Security Acknowledgments page (with consent) and receive priority access to pre-release security testing
📋
Rules of Engagement
Mandatory guidelines for responsible and lawful security testing.
✓Do not access, modify, delete, or exfiltrate data belonging to other SpacePe users or customers. Testing must be limited to your own test accounts created in the sandbox environment provided upon request.
✓Do not perform denial-of-service (DoS/DDoS) attacks, resource exhaustion attacks, or any activity that degrades platform availability for production users.
✓Do not use automated vulnerability scanners (Burp Suite automated scan, Nessus, Acunetix) against production systems without prior written approval from security@spacepe.io. Manual testing is always permitted in scope.
✓Submit all findings to security@spacepe.io with: affected endpoint/parameter, detailed reproduction steps, proof-of-concept code or screenshots, and your assessed CVSS severity. PGP encryption key available on our security page.
✓Observe a 90-day coordinated disclosure window from the date SpacePe acknowledges receipt. Do not disclose to any third party before SpacePe confirms the vulnerability has been remediated and deployed.
✓Duplicate reports rewarded first-come-first-served. The first reporter of a unique vulnerability receives the bounty; subsequent reporters of the same issue receive acknowledgment only.
🚫
Out of Scope
Activities and findings not eligible for bounty rewards.
✓Social engineering, phishing, or pretexting attacks against SpacePe employees, contractors, customers, or banking partners
✓Physical security testing of SpacePe offices, co-location facilities, or partner data centers
✓Denial-of-service, brute-force login attacks, or rate-limit stress testing against production infrastructure
✓Reports generated solely by automated scanners without manual verification and confirmed exploitability demonstration
✓Vulnerabilities requiring physical access to victim's device, compromised browser extensions, or pre-existing malware on the endpoint
✓Issues in third-party services, open-source libraries, or banking partner systems integrated with but not operated by SpacePe