Scope of the Programme

Our platform is made up of multiple subsystems and this programme’s scope includes our platform, public web assets,
and third party services. We will only consider vulnerabilities where the attack can exploit our customers directly.

Please do not submit reports derived from automatic scanning tools, such as SSL Labs or Nessus; we scan our systems regularly,
and will already be aware of (and be in the process of fixing) these issues.


  • Attacks that only affect individual user accounts (such as self-XSS)
  • The presence of application or web browser ‘autocomplete’ messages
  • Logout Cross-Site Request Forgeries
  • Banner disclosure on public services
  • Issues only exploitable through clickjacking
  • Issues only exploitable through compromised third party accounts
  • Issues only exploitable through user error / bad practice
  • Issues identified via DDoS-style (Distributed Denial of Service) attack methods
  • Descriptive error messages

Reporting to RapidSpike


  • Scope context – see above, only in scope assets will be considered for investigation
  • A detailed description of the vulnerability including its effects
  • Steps to reproduce including any configuration details, proof-of-concepts or exploit code
  • Explanation as to how the vulnerability affects the data integrity/security of our platform


  • Potential fix implementations or ideas
  • Links to further reading such as blogs, tutorials or CVSS scoring

What happens next?



We will respond within 2 business days and then provide updates every 20 days at most.


Review Process

The team will review all vulnerabilities reported in accordance with the guidelines set out above. We will take steps to reproduce them and will work with the researcher until such a time that the vulnerability can be completely validated.



Public disclosures will be made on our blog. If the researcher wishes to publish their findings on their own platforms then we would like this to be done simultaneously with our own disclosure.


Review Completion

Once the review is complete and the vulnerability has been confirmed, the results will be sent to the researcher along with information about its resolution and any subsequent public disclosure.


Rewards are issued at our sole discretion – we do not guarantee that the researcher’s report will result in a reward being issued.

Researchers with verified vulnerabilities will have the option to be honoured in a wall of fame with their name and a link of their choosing.

If we decide that a reward should be offered then it will be in the form of branded merchandise (i.e. stickers, T-shirts etc).

Monetary rewards will only be offered if the vulnerability is of the highest significance, which will be decided solely by us; RapidSpike