Introduction to ReCharge's Responsible Disclosure Policy
ReCharge's Responsible Disclosure Policy aims to reward individuals who discover and discreetly report verified security bugs in their services. The program is designed to incentivize participants to help enhance the security and quality of Recharge's offerings by identifying and reporting bugs, vulnerabilities, and exploits.
Reporting Process and Eligibility Criteria
To report a bug to ReCharge, individuals must use the designated form provided on the website and furnish detailed information about the identified issue. Eligibility for a reward is contingent upon meeting specific criteria, which includes executing Recharge's Confidentiality and Terms Agreement, not being affiliated with Recharge or its affiliates, and residing in a country not under current U.S. sanctions.
Rewards and Decision-Making Process
Recharge offers a variety of rewards for qualified bug reports, with the determination of the reward amount being at the discretion of Recharge. In cases where multiple individuals report the same bug or vulnerability, the reward is split evenly among them or awarded to the first reporting party. Additionally, a single bug appearing in varied forms is treated as a single vulnerability for reward purposes.
Program Compliance and Governance
Participants are required to adhere to Recharge's Confidentiality and Terms Agreement, as well as the Terms of Use governing their involvement in the program. Recharge retains the right to modify, suspend, or terminate the program at any time. Reward recipients are responsible for any taxes incurred as a result of receiving a reward, with the program being subject to California state laws.
Security Measures and Compliance Standards
Participants must refrain from engaging in activities that violate the law, jeopardize Recharge's security, or disclose sensitive information publicly. Additionally, sharing exploit code related to a vulnerability is prohibited, unless authorized by Recharge or mandated by law. Disclosure of vulnerabilities before confirmation of resolution may result in disqualification from the program.
Exclusions and Out-of-Scope Issues
Recharge's vulnerability reporting program specifies certain issues that are considered out of scope, such as link injection without corresponding attack evidence, clickjacking on non-sensitive pages, and self-exploitation vulnerabilities. Additionally, activities leading to service disruption or utilization of outdated libraries/frameworks are not eligible for rewards.