Range Bounty Program

Helping keep Range safe and secure

The software security research community makes the web a better, safer place. We support their bug-hunting efforts with a bounty program.

To report a vulnerability, please email us at security@range.co.


Qualifying Vulnerabilities

This program covers the sites and sub-domains of range.co. To be eligible, you must demonstrate a security compromise using a reproducible exploit, including the following:

  • Cross-site scripting exploits
  • Cross-site request forgery exploits
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Injection flaws
  • Significant security misconfigurations

Exclusions

The following are not eligible for bounties:

  • Self-XSS
  • Login/Logout CSRF
  • CSRF configuration issue without exploitable proof of concept
  • Missing security headers which do not directly lead to a vulnerability
  • Sub-domains used for email analytics: *.sales.range.co go.range.co

Rules for You

  • Don’t make the bug public before it has been fixed.
  • Don’t attempt to gain access to another user’s account or data. Use your own test accounts for cross-account testing.
  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Do not impact other users with your testing, this includes testing for vulnerabilities in accounts you do not own. We may suspend your Range account and ban your IP address if you do so.
  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your Range account and ban your IP address.
  • No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Rules for Us

  • We will respond as quickly as possible to your submission.
  • We will keep you updated as we work to fix the bug you submitted.
  • We will not take legal action against you if you play by the rules and act in good faith.

Rewards

  • Remote code execution: $750
  • Unrestricted access to file systems or databases: $500
  • Bugs leaking or bypassing significant security controls: $500
  • Execute code on the client, including XSS: $250
  • Open redirect: $100
  • Other confirmed vulnerabilities: schwag* and recognition
  • Vulnerabilities to auxiliary services or 3rd party dependencies: schwag* and recognition.

* we can't send schwag to all locations. We'll do our best.

Final Notes

We deal only with principals, not vulnerability brokers.

If you reside in a country on a United States restricted export control list, or are on a United States state or federal criminal wanted list or restricted export control list, you are not eligible to participate in this program.

We will make the final decision on bug eligibility and value. This program exists entirely at our discretion and may be modified or canceled at any time. Any changes we make to these programs terms do not apply retroactively.

Thanks for helping us make Range more secure.


Security Hall of Fame

Range would like to acknowledge the contributions of the following people who have made a responsible disclosure to us: