Program Scope

• Main Web Application: https://bugbop.com
• Publicly Accessible Subdomains: .bugbop.com

• Any services hosted by third parties, unless they impact the security of our primary assets
• Denial of Service (DoS) attacks
• Social engineering attacks

• Cross-Site Scripting (XSS)
• SQL Injection
• Authentication bypass
• Privilege escalation
• Remote Code Execution (RCE)
• Security misconfigurations
• Server-side request forgery (SSRF)

• Issues solely affecting outdated browsers
• Missing HTTP security headers (unless they lead to a proven vulnerability)
• Vulnerabilities requiring deep social engineering tactics
• Reports from automated tools without clear evidence of impact
• Any physical attempts against Gleam.io property or data centers
• Vulnerabilities that require access to the user's device or other accounts
• Denial of Service (DoS) attacks

• Limit API requests to no more than 10 requests per minute
• Avoid testing that triggers excessive emails or notifications (max 5 per hour)
• Limit login/authentication attempts to 10 per hour
• Avoid any testing that could impact system availability or other users

• Critical e.g. RCE, database access
• High e.g. privilege escalation, significant data exposure
• Medium e.g. XSS, minor API issues
• Low e.g. information disclosure without direct impact

• Provide clear, step-by-step instructions to reproduce the vulnerability.
• Include screenshots, videos, or code snippets where possible.
• Test only on your own accounts; do not access others’ data.
• Be respectful of our users’ privacy and our systems’ stability.

• We will acknowledge your report within 48 hours.
• A resolution or update will be provided within 10 business days.