mate’s bug bounty program

Introduction

Mate Security Ltd. (“Mate”, “we”, “our”, or “us”) values the contributions of security researchers and the broader security community.
This Bug Bounty Program (“Program”) establishes a framework for the responsible disclosure of security vulnerabilities to Mate by the Program participants (“participant” or “you”), and, where applicable, provides monetary rewards for eligible reports submitted in accordance with these terms (“Terms”).
If you believe you have identified a high to critical security vulnerability affecting our SaaS offering, please report it to us promptly in accordance with these Terms.
By submitting a report under this Program, you agree to act in good faith and to comply with these Terms.
Security testing conducted in accordance with these Terms and the below participation rules is considered authorized by Mate for purposes of this Program.

Eligibility

To be eligible for a reward, you must meet all the following:

  • You are not an employee, contractor, officer, director, or agent of Mate or any of its controlled affiliates, and you do not have privileged internal access to Mate systems or information.
  • You are not an immediate family member or household member of any of the above.
  • You are at least 18 years old.
  • You are not prohibited from participating by applicable law, including if you are l located in or ordinarily resident in any jurisdiction subject to comprehensive sanctions under applicable law, including Israeli or U.S. export control or sanctions laws
  • Mate reserves the right to determine eligibility for participation or rewards at its sole discretion.

Participation Rules

You must:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
  • Limit testing to the minimum necessary to confirm the existence and impact of vulnerability.
  • Cease testing and promptly submit a report once sufficient information has been gathered to describe and reproduce the issue.
  • Submit one vulnerability per report, unless multiple issues must be chained to demonstrate impact.

You must not:

  • Conduct Denial of Service (DoS/DDoS) attacks, load testing, or any activity that degrades or disrupts service availability.
  • Engage in social engineering (including phishing, pretexting, or impersonation) targeting our employees, contractors, customers, or partners.
  • Perform physical testing or attempt to access our offices, facilities, or devices.
  • Access non-public data beyond what is strictly necessary to demonstrate impact, or retain, copy, exfiltrate, disclose, or otherwise use any personal or confidential information encountered.
  • use malware designed to cause harm or disruption to systems or data, or any such script or techniques, or send spam or unsolicited bulk communications.
  • Use leaked credentials. If you discover credentials that appear to belong to Mate, its customers, or partners, report them immediately and do not attempt to validate them by logging in.
  • Use automated testing tools
  • Generates excessive or disruptive traffic; you should always ensure testing does not negatively impact service availability or performance.
  • Violate any applicable law, or take any action that may negatively affect Mate.

Covered Assets

This Program applies only to high/critical security vulnerabilities in our SaaS offerings (“services” or “Covered Assets”).

The Program does not apply to third-party services or vendors not controlled by us, even if integrated with our services. Vulnerabilities affecting third-party services should be reported directly to the relevant provider unless the issue arises solely from Mate’s implementation or configuration.
For the avoidance of doubt, customer accounts, customer environments, customer data, or systems owned or operated by Mate customers are out of scope unless expressly authorized in writing by Mate.
Additionally, the Program excludes findings that require physical access, as well as low-impact issues such as missing security headers without demonstrated exploitability, scanner-only reports without proof of concept, clickjacking or open redirects without material impact, etc.
If you are uncertain whether a target is a Covered Assets, please contact bug-bounty@matesecurity.io before conducting further testing.

Non-Eligible Submissions

As noted, only submissions that directly relate to specific high/critical risk vulnerabilities will be considered for a potential reward.  The following is a non-exhaustive list of examples of submissions considered to be out-of-scope in terms of being considered for a potential reward.

  • Missing HTTP security headers
  • Mail configuration issues including SPF, DKIM, DMARC settings
  • Email spoofing
  • Missing security headers that do not directly contribute to a high-risk vulnerability
  • Outdated software that does not directly contribute to a notable vulnerability
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Fingerprinting/banner disclosure on common/public services
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Clickjacking and issues only exploitable through clickjacking
  • Missing best practices (we require evidence of a security vulnerability)
  • Any vulnerability discovered by a scanner without additional proof of validation
  • Reports from automated tools or scans.
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
  • Absence of rate-limiting
  • Editable Github wikis
  • Outdated software without any noteworthy vulnerability
  • Content spoofing or HTML injection, unless accompanied by a proof of concept that demonstrates a security risk beyond injecting plain text
  • Vulnerabilities only affecting older browsers
  • Existence of access-controlled administrative pages
  • Reports regarding password policies
  • Vulnerabilities unrelated to our cloud offering (e.g. public website)
  • Attacks requiring a “man in the middle” or physical access to a user’s device
  • CSRF issues that do not lead to account theft
  • DNS takeover susceptibility
  • Ability for users to perform content scraping (video downloading/harvesting)
  • High account lockout thresholds
  • Attacks that only work against yourself (e.g. host header injection)
  • Issues related to software or protocols not under Mate’s control
  • API key / secret disclosure that is intentional / by design, and does not enable a vulnerability
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Missing HttpOnly or Secure flags on cookies
  • Tabnabbing
  • Open redirect – unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction\

Report Submission and Confidentiality

Please submit your report to bug-bounty@matesecurity.io and include:

  • Affected Asset (product, feature, URL, API endpoint, or component)
  • Clear description of the issue, including the type of vulnerability
  • Impact and realistic attack scenario, including prerequisites and expected attacker gains
  • Reproduction instructions, and where appropriate, proof of concept (e.g., screenshots, logs)
  • Testing environmental details, including browser, operating system, app version

Reports that lack sufficient detail to allow reproduction of the issue may be closed.

Reports submitted under this Program will be treated as confidential and used solely for the purpose of investigating, mitigating, remediating, and improving the security of Mate’s services.

By submitting a report, you grant Mate a non-revocable, non-exclusive, worldwide, royalty-free license to use, reproduce, and modify the report for such purposes.

Response Timeline

We strive to address reports promptly and will make best efforts to follow the timelines below:

  • Initial acknowledgment: within 5 business days
  • Triage outcome: within 15 business days after acknowledgment
  • Reward decision (if applicable): within 30 business days after triage

These timelines are indicative only and do not constitute a binding commitment. Timelines and handling of reports may vary depending on the complexity, severity, and operational considerations, at Mate’s discretion. Mate does not guarantee that any reported vulnerability will be remediated within a specific timeframe.

  • Submission of a report does not guarantee eligibility for, or payment of, any reward.
  • All reward decisions made by Mate are final and not subject to appeal.
  • Where multiple submissions relate to the same underlying vulnerability, only the first valid report may be eligible for a reward.
  • Findings arising from the same root cause may be treated as a single issue for reward purposes.
  • Rewards may be subject to identity verification, applicable laws, and payment processing requirements.
  • As a condition for receiving any reward, you may be required to provide applicable tax forms, invoices (where applicable), identification details, or other documentation reasonably requested by Mate or its payment provider to comply with legal, tax, or payment processing requirements.

Rewards

Mate may grant monetary rewards based on the severity, impact, quality, and exploitability of the reported vulnerability.

Coordinated Disclosure

Public disclosure of any vulnerability, in whole or in part, is strictly prohibited without our prior written approval. This includes social media or sharing technical details with third parties.

Participents taking part in our Program must ensure that Mate has the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses vulnerabilities or exploits information to the public. Any disclosure to the public without the prior agreement of Mate and our ability to analyze and resolve the vulnerability will result in the forfeit of any potential reward and a permanent ban from the Program.

General

  • Compliance with Law.

    You must comply with all applicable laws and regulations in connection with your participation in this Program. Any unlawful activity is strictly prohibited.

  • Privacy.

    Any personal data submitted in connection with the Program will be processed in accordance with our Privacy Policy.

  • Safe Harbor.

    If you act in good faith and in compliance with these Terms, Mate will not pursue legal action against you for security research conducted in accordance with this Program, to the extent permitted by applicable law. This Safe Harbor does not apply to activities that violate applicable law or fall outside the scope of this Program.

  • Taxes.

    You are solely responsible for any taxes, reporting obligations, or other governmental charges arising from any reward you receive.

  • Jurisdiction and Governing Law.

    These Terms shall be governed by the laws of the State of Israel, in the competent courts of the Tel Aviv district.

  • Independent Parties.

    Participation in the Program does not create any employment, agency, or partnership relationship.

  • No Waiver.

    Our review of any report, communications with you, or decision regarding eligibility or rewards does not constitute a waiver of any rights, claims, or remedies available to us.

  • Modifications and Termination.

    Mate reserves the right, at its sole discretion, to modify, suspend, or terminate this Program, or any part thereof, including the eligibility criteria, scope, participation rules, or reward structure (including reward amounts), at any time and without prior notice. Any such modification, suspension, or termination will not affect rewards already granted prior to the effective date of such change. Participation in the Program following any modification constitutes acceptance of the updated Terms.