Welcome!
We're excited to invite security bug hunters from all backgrounds to help us make Acquire a more secure platform for everyone. Your expertise helps us identify vulnerabilities before they can be exploited, and we value your contributions to our security efforts.
Program Scope
We appreciate reports that can help us improve our security posture. Please review the following details carefully before submitting your findings.
In-Scope Assets
- Web sites acquireglobal.com, acquire.co.nz, and acquireit.com.au.
- APIs @ api.acquireglobal.com.
Out-of-Scope Assets
- Any services hosted by third parties, unless they impact the security of our primary assets.
- Marketing pages (e.g., blog, landing pages).
- Physical offices and infrastructure.
- Employee social media accounts.
Vulnerabilities We're Interested In
- Cross-Site Scripting (XSS)
- SQL Injection
- Authentication bypass
- Privilege escalation
- Misconfigured access controls
- Remote Code Execution (RCE)
- Security misconfigurations
- Server-side request forgery (SSRF)
Vulnerabilities Out-of-Scope
- Issues solely affecting outdated browsers
- Missing HTTP security headers (unless they lead to a proven vulnerability)
- Vulnerabilities requiring physical access
- Self-XSS requiring significant user interaction
- Reports from automated tools without clear evidence of impact
- Theoretical vulnerabilities without proof of exploitation
- Vulnerabilities already know to us.
Rewards
We offer bounties based on the severity and impact of the vulnerability and as a small business we evaluate bounties on a case by case basis.
- Critical: Full system compromise or large-scale breach
eg, Remote Code Execution (RCE) database access, admin panel access - High: Access to sensitive data or elevated privileges without full compromise
eg, Privilege escalation, significant data exposure, authentication bypass - Medium: Abuses that require some user interaction or unusual conditions
eg, Cross-Site Scripting (XSS), CSRF, minor API issues - Low: Minor misconfigurations or information disclosure
eg, Information disclosure without direct impact, missing security headers
Note: Reports without clear security implications or that require unrealistic attack scenarios will not be rewarded.
Submission Guidelines
- Provide clear, step-by-step instructions to reproduce the vulnerability
- Include screenshots, videos, or code snippets where possible
- Test only on your own accounts; do not access others' data
- Describe the potential impact and attack scenario
- Be respectful of our users' privacy and our systems' stability
Rate Limits & Testing Constraints
- Limit requests to no more than 10 requests per minute
- Avoid testing that triggers excessive emails or notifications (max 5 per hour)
- Limit login/authentication attempts to 10 per hour
- Avoid any testing that could impact system availability or other users
Our Commitment
- We will acknowledge your report within 7 business days
- A resolution or update will be provided within 14 business days
- We will keep you informed about the status of your report
- We will recognize your contribution if you wish to be acknowledged
Legal Safe Harbor
This program follows a "safe harbor" approach. As long as your research is conducted responsibly and within the program's scope, we consider it authorized. If legal questions arise, we'll work with you to understand and resolve them.
