English
Deutsch
Español
Français
Italiano
Português
Русский
العربية
हिन्दी
日本語
简体中文
Android
iOS
Mac
Windows
Report
Email . Describe the affected asset, reproduction steps, and realistic impact. The more precise you are, the faster we can review it.
Vulnerability Disclosure Program Found a vulnerability?
Found a vulnerability?
Tell us first.
We review every credible report. Hall of Fame first; a voluntary recognition payment may be considered on a case-by-case basis.
Our Approach
Security is teamwork.
Security researchers are not adversaries. They are often the first to spot real vulnerabilities. We treat you with respect: honest answers, clear terms, and fair recognition. This is a Vulnerability Disclosure Program with possible Hall of Fame recognition and optional small recognition payments after case-by-case review. It is not a traditional bug bounty program with fixed or guaranteed payouts.
Apple credits our founder Chris Bohn by name in an official security update for a reported kernel vulnerability in OS X (CVE-2013-1029). We know firsthand how much work a good report takes and how important fair treatment is. Source: support.apple.com/en-us/103517
How it works Step 01 Step 02 Step 03
Three steps to a fix.
No bureaucracy. No forms. No hidden process.
Triage
We review credible reports and usually respond within a few business days. If there are delays, we will keep you updated.
Fix & Recognition
Fixes are prioritized by severity. Eligible, validated findings may be credited in our Hall of Fame. For suitable product vulnerabilities, we review CVE coordination.
RFC 9116
security.txt
Using a scanner or checking /.well-known/security.txt? You found us right away.
# https://www.protectstar.com/.well-known/security.txt Contact: mailto:security@protectstar.com Encryption: https://www.protectstar.com/security/pgp.asc Policy: https://www.protectstar.com/security Acknowledgments: https://www.protectstar.com/security/acknowledgments Preferred-Languages: en, de Canonical: https://www.protectstar.com/.well-known/security.txt Canonical: https://protectstar.com/.well-known/security.txt Expires: 2027-05-19T23:59:59Z
Scope
What’s in scope.
We are starting with a deliberately narrow scope so our team can thoroughly review every report. Reports about apps and APIs are welcome, but they will be reviewed on a case-by-case basis.
In Scope
- www.protectstar.com & protectstar.com Public website areas operated by Protectstar itself
- Publicly documented update and download integrity mechanisms Signatures and hashes on Protectstar infrastructure
- Published file-integrity metadata Published at protectstar.com
- Additional subdomains Only where explicitly listed or confirmed by us in writing
Out of Scope
- Third-party systems & services Shop and payment providers, app stores, CDN/hosting, external engines, SDKs, and partner services
- APIs, license/activation servers, and internal systems that have not been explicitly confirmed
- Social engineering & phishing Targeting employees, support, or partners
- DoS / DDoS / volume testing
- Physical attacks
- Self-XSS and missing best-practice headers without impact
- Beta / TestFlight / pre-release versions
Apps, backend APIs, desktop software: Reports are welcome, but they are not automatically in scope or eligible for recognition. We review every report on a case-by-case basis.
Safe Harbor
Research in good faith. We will treat you fairly.
If you conduct security research in good faith, within this policy, and exclusively on assets explicitly listed as in scope or confirmed by us in writing, we consider that research authorized. Protectstar will not initiate or support legal action for such research to the extent the claims are within our control.
Requirements
- No exploitation beyond what is necessary to demonstrate the vulnerability
- No disclosure of the vulnerability to third parties before a fix
- No exfiltration, modification, deletion, storage, or sharing of data that does not belong to you. Use test accounts whenever possible
- No publication or disclosure without prior coordination and written approval; 90 days is our guideline, not an automatic authorization
- No intentional service disruption or data destruction
- Compliance with the laws that apply to you, your research, and the affected systems
If you accidentally see data that does not belong to you, stop immediately, do not access it further, copy it, modify it, delete it, or share it, and report only the minimum information required for verification. This assurance applies exclusively to claims within Protectstar's control and does not authorize any conduct prohibited by law. It does not extend to activities against third-party systems, services, networks, or data and does not preclude independent action by third parties. When in doubt: ask first, not afterward.
Recognition
Hall of Fame first. Small recognition payments on a case-by-case basis.
Protectstar does not operate a traditional bug bounty program with fixed or guaranteed payouts. Our focus is on fair review, coordinated remediation, and possible Hall of Fame recognition for reports that meet our requirements. In addition, Protectstar may, at its sole discretion, offer a small voluntary monetary recognition payment for especially helpful, validated, previously unknown, in-scope reports. There is no right to payment; any decision to grant a payment, and its amount, is made only after validation of the complete technical report.
Requirements for possible Hall of Fame recognition
- Valid and reproducibly documented
- Previously unknown and not already under internal review
- In scope according to the areas listed above
- Submitted first (the first reporter counts)
- Reported without violating this policy
- Materially relevant to the security of Protectstar or our users
- Without threats or payment demands before, during, or after the report
Severity classification
Severity influences fix priority and possible recognition. Hall of Fame remains our primary form of recognition.
| Severity | Common examples | Possible recognition |
|---|---|---|
| Critical | Remote code execution, authentication bypass, large-scale data leak, update-integrity compromise | Hall of Fame; a small voluntary recognition payment may be considered after case-by-case review |
| High | Privilege escalation, cryptographic weaknesses with impact, account takeover | Hall of Fame; a small voluntary recognition payment may be considered after case-by-case review |
| Medium | Stored XSS, IDOR with demonstrable impact, session issues | Hall of Fame; an optional small recognition payment may be considered for clear, reproducible impact |
| Low | Reflected XSS with limited impact, information disclosure without consequences | Usually Hall of Fame or thanks; monetary recognition only in exceptional cases |
Severity is assessed using CVSS 4.0 or CVSS 3.1 as a guideline. Protectstar makes the final assessment; we can explain differing assessments in writing on request. We do not negotiate amounts before receiving and validating the complete technical report.
Response times
Our target timeframes.
We are a lean team, not a 24/7 SOC. These numbers are our targets. If there are delays, we will let you know.
3 business days Acknowledgment of receipt (target)
10 business days Initial technical triage (target)
90 days Coordinated disclosure (target)
Encryption
PGP key.
For sensitive vulnerability details, you can encrypt your report.
Fingerprint
B8DB 47D7 DBE5 DD63 7C65 80E0 3513 CE31 BD10 B7AD
Key ID
0x3513CE31BD10B7AD
Identity
PROTECTSTAR Support Hero
< >
< >
This key is currently associated with and authorized by Protectstar for encrypted communication with .
Download key Hall of Fame
Who has helped us.
Security researchers who have used our program responsibly and helped make our products more secure.
No entries yet.
Our program has just launched. Reports that meet our requirements may be credited here.
Frequently Asked Questions
Before you ask.
Good-faith research means: you follow this policy, demonstrate a vulnerability without exploiting beyond what is necessary, report it to us first, and give us time to fix it. Safe Harbor no longer applies if you cross that line, exfiltrate user data, or withhold technical details to demand payment.
Not automatically. Protectstar does not operate a traditional bug bounty program with fixed or guaranteed payouts. Hall of Fame is our primary form of recognition. For especially helpful, validated, previously unknown, in-scope reports, we may offer a small voluntary monetary recognition payment at our sole discretion. We do not negotiate rewards before receiving and validating the complete technical report.
We accept anonymous reports and handle them the same way technically. Upon request, we will list you in the Hall of Fame under a pseudonym, provided the requirements are met.
We use CVSS 4.0 or CVSS 3.1 as a guideline and supplement it with impact factors from your demonstration. Protectstar makes the final assessment. If our assessment differs from yours, we can explain it on request.
For suitable product vulnerabilities, we review CVE coordination through an appropriate CNA or another suitable channel. A CVE ID is not guaranteed and depends on the CNA's CVE rules.
Yes, but only in a non-invasive, rate-limited way and on assets explicitly listed as in scope. Aggressive tools, high request rates, or tests that could affect availability for other users are not allowed. Raw scanner output without verified impact, such as missing headers, TLS notes, or version disclosure, is not eligible for recognition. When in doubt: ask first.
The first reporter counts. If a vulnerability is already known internally or has already been reported, it is not eligible for recognition. We will let you know as early as possible.
Reports about Protectstar apps and APIs are welcome. In this first phase, however, they are reviewed case by case and are not automatically eligible for recognition unless the affected asset is explicitly listed above or confirmed by us in writing. Still, please send us your report.
Send us your report.
We review credible reports and usually respond within a few business days.
PGP available · security.txt compliant with RFC 9116 · Safe Harbor for good-faith research