Bug Bounty Program

We at Sweap are well aware that not everything can always be bug-free - that's why we support security researchers and white-hat hackers with our Bug-Bounty-Programm.

This means:

Anyone who reports vulnerabilities or security holes found in the Sweap system to us will be rewarded.

Have you already discovered a vulnerability in our system and would like to be duly rewarded for your knowledge? Then it is important to follow these guidelines:

1. Scope

Which domains, subdomains and apps are relevant?
The following sites are particularly important to us:

  • sweap.io 

  • app.sweap.io 

  • *.sweap.io (except test and development sides)

  • Sweap App iOS 

We are happy to accept reports for other sites, but they are not part of this program.

Out of scope are in particular, if not mentioned above:

  • IPs that are registered to Sweap and MATE Development GmbH

  • Pages with a certificate from Sweap

  • Pages containing only the word 'Sweap', 'Sweap.io', "Mate" or "Mate Development GmbH".

2. Responsible Disclosure

To be eligible for a reward, please comply with the following reporting process:

  • We need enough time to answer their email and fix the gaps. 

  • The gap must not be disclosed to any third party before it is fixed.

  • Please provide us with information to verify and reproduce the gap - preferably a proof of concept script!

  • What we do not want to receive as part of notifications are:

    • Personal data (Personally identifiable information)

    • Credit card data

  • Please let us know the IP from which you tested. This way we can better understand the gap.

  • Please send us only one message per e-mail.

  • Please send us another e-mail if you have found another vulnerability.

For this we offer:

  • A quick response to your message (an acknowledgement of receipt) comes immediately and usually a message is answered within two working days.

  • We do not guarantee to take any legal action against you.

  • We close the gap found as soon as possible. 

  • After we confirm and fix the gap, they will be paid a reward.

3. Detect Security Gaps and Vulnerabilities

It is particularly important to us to protect the data of our customers.

Gaps that expose this data are of particular importance. A gap or vulnerability is anything that meets at least one of the following requirements:

  • Unauthorized code is executed. 

  • Sensitive information is disclosed (e.g. passwords).

  • It compromises the integrity of systems.

  • User data is disclosed.

  • User data is changed.

  • Unauthorized access to sensitive data or resources is enabled.

  • Privileges are increased.

  • The system of user can be damaged.

In addition, the gaps must in any case:

  • actually be exploited (Please do not report theoretical gaps!);

  • be exploitable from the Internet.

Please pay attention to:

  • Our infrastructure should not be affected - no brute-force-attacks or scanners with more than one request per second (1 req/s)!

  • The privacy of our users has the highest priority: sensitive data may not be modified, deleted, downloaded, or published. If you suspect that you can access sensitive data, contact us, and we will provide a test account, or you can use a free account you created.

4. Excluded Security Vulnerabilities 

The following vulnerability categories are excluded from the program:

  • Social Engineering, Spam, Phishing, etc.

  • physical attacks, e.g. burglary

  • DDOS attacks and attacks requiring a high volume of data

  • Vulnerabilities or 0-Days in third party software or websites that do not belong to MATE Development GmbH

  • Clickjacking attacks  

  • DNS misconfigurations, e.g. non-restrictive SPF records

  • lack of best practices in headers, SSL/TLS, DNS

  • Vulnerabilities and backdoors caused by malware

  • POST-based reflected XSS, CSRF login/logout 

  • user enumeration and insufficient password complexity

  • Direct IP access

  • Missing rate limiting

  • Vulnerabilities that can only be exploited if another user's account, such as email, is compromised

5. Your Reward

So that we can pay you a reward:

  • Make sure you meet the criteria we have listed under "Responsible Disclosure" and "Security Gaps and Vulnerabilities"!

  • Your message is the first message about the vulnerability. Identical messages for different domains are combined into one message.

  • You are not an employee of MATE Development GmbH, a supplier or a contractual partner.

  • You must write an invoice to MATE Development GmbH for the reward. You are responsible for all tax implications depending on your country of residence and citizenship. Depending on local law, there may be additional restrictions on your participation. We generally pay out only by wire transfer and in euros. Rewards in bitcoins, or similar are generally excluded.

  • We cannot make disbursements to individuals who are on sanctions lists or are in countries that are on sanctions lists (for example: Cuba, Iran, North Korea, Syria, Crimea, Russia).

  • The reward is based on the severity of the gap, the effort to find the gap and the quality of the report. This is determined by us at our own discretion. We are guided by the CVSS 3.1 Base Score.

Reward Amounts
Vulnerabilty severity Low Medium High Critical
Reward 0 € 50-100 € 100-250 € 250+ €

6. And This is How You Report a Vulnerability

If you have found a security hole or vulnerability, please send us an email at bugbounty@sweap.io. You can also use this to send questions or comments about the bug bounty program.

This is not a competition, but a discretionary rewards program.

  • We reserve the right to terminate the program at any time.

  • The decision whether or not to pay a premium is entirely at our discretion.

Thank you very much!

your Sweap Security Team

Data Privacy at Sweap