SWEAP SECURITY BOUNTY
Bug Bounty Program
We at Sweap are well aware that not everything can always be bug-free - that's why we support security researchers and white-hat hackers with our Bug-Bounty-Programm.
Temporary Pause of Bug Bounty Program
Please note that as of 22.01.2024, Sweap’s Bug Bounty Program will be temporarily paused. During this period, we will not be accepting new submissions or inquiries related to the program. This pause allows us to implement improvements and updates to the program. We appreciate your understanding and encourage you to check back for updates regarding the resumption of the program. Thank you for your interest and support in helping to enhance Sweap's security.
This means:
Anyone who reports vulnerabilities or security holes found in the Sweap system to us will be rewarded.
Have you already discovered a vulnerability in our system and would like to be duly rewarded for your knowledge? Then it is important to follow these guidelines:
1. Scope
Which domains, subdomains and apps are relevant?
The following sites are particularly important to us:
sweap.io
app.sweap.io
*.sweap.io (except test and development sides)
Sweap App iOS
We are happy to accept reports for other sites, but they are not part of this program.
Out of scope are in particular, if not mentioned above:
IPs that are registered to Sweap and MATE Development GmbH
Pages with a certificate from Sweap
Pages containing only the word 'Sweap', 'Sweap.io', "Mate" or "Mate Development GmbH".
2. Responsible Disclosure
To be eligible for a reward, please comply with the following reporting process:
We need enough time to answer their email and fix the gaps.
The gap must not be disclosed to any third party before it is fixed.
Please provide us with information to verify and reproduce the gap - preferably a proof of concept script!
What we do not want to receive as part of notifications are:
Personal data (Personally identifiable information)
Credit card data
Please let us know the IP from which you tested. This way we can better understand the gap.
Please send us only one message per e-mail.
Please send us another e-mail if you have found another vulnerability.
For this we offer:
A quick response to your message (an acknowledgement of receipt) comes immediately and usually a message is answered within two working days.
We do not guarantee to take any legal action against you.
We close the gap found as soon as possible.
After we confirm and fix the gap, they will be paid a reward.
3. Detect Security Gaps and Vulnerabilities
It is particularly important to us to protect the data of our customers.
Gaps that expose this data are of particular importance. A gap or vulnerability is anything that meets at least one of the following requirements:
Unauthorized code is executed.
Sensitive information is disclosed (e.g. passwords).
It compromises the integrity of systems.
User data is disclosed.
User data is changed.
Unauthorized access to sensitive data or resources is enabled.
Privileges are increased.
The system of user can be damaged.
In addition, the gaps must in any case:
actually be exploited (Please do not report theoretical gaps!);
be exploitable from the Internet.
Please pay attention to:
Our infrastructure should not be affected - no brute-force-attacks or scanners with more than one request per second (1 req/s)!
The privacy of our users has the highest priority: sensitive data may not be modified, deleted, downloaded, or published. If you suspect that you can access sensitive data, contact us, and we will provide a test account, or you can use a free account you created.
4. Excluded Security Vulnerabilities
The following vulnerability categories are excluded from the program:
Social Engineering, Spam, Phishing, etc.
physical attacks, e.g. burglary
DDOS attacks and attacks requiring a high volume of data
Vulnerabilities or 0-Days in third party software or websites that do not belong to MATE Development GmbH
Clickjacking attacks
DNS misconfigurations, e.g. non-restrictive SPF records
lack of best practices in headers, SSL/TLS, DNS
Vulnerabilities and backdoors caused by malware
POST-based reflected XSS, CSRF login/logout
user enumeration and insufficient password complexity
Direct IP access
Missing rate limiting
Vulnerabilities that can only be exploited if another user's account, such as email, is compromised
5. Your Reward
So that we can pay you a reward:
Make sure you meet the criteria we have listed under "Responsible Disclosure" and "Security Gaps and Vulnerabilities"!
Your message is the first message about the vulnerability. Identical messages for different domains are combined into one message.
You are not an employee of MATE Development GmbH, a supplier or a contractual partner.
You must write an invoice to MATE Development GmbH for the reward. You are responsible for all tax implications depending on your country of residence and citizenship. Depending on local law, there may be additional restrictions on your participation. We generally pay out only by wire transfer and in euros. Rewards in bitcoins, or similar are generally excluded.
We cannot make disbursements to individuals who are on sanctions lists or are in countries that are on sanctions lists (for example: Cuba, Iran, North Korea, Syria, Crimea, Russia).
The reward is based on the severity of the gap, the effort to find the gap and the quality of the report. This is determined by us at our own discretion. We are guided by the CVSS 3.1 Base Score.
Reward Amounts
| Vulnerabilty severity | Low | Medium | High | Critical |
| Reward | 0 € | 50-100 € | 100-250 € | 250+ € |
6. And This is How You Report a Vulnerability
If you have found a security hole or vulnerability, please send us an email at bugbounty@sweap.io. You can also use this to send questions or comments about the bug bounty program.
This is not a competition, but a discretionary rewards program.
We reserve the right to terminate the program at any time.
The decision whether or not to pay a premium is entirely at our discretion.
Thank you very much!
your Sweap Security Team